Fix deprecated config options in cross-seed

Add IPTorrents and ignore uploads for cross-seed
Prefer season packs over single episodes for anime
2025-09-22 14:26:49 -04:00 · 2025-09-22 14:07:51 -04:00 · 2025-09-17 10:06:17 -04:00 · 2025-09-17 10:04:09 -04:00 · 2025-09-05 17:03:39 -04:00 · 2025-09-05 16:11:25 -04:00
91 changed files with 6384 additions and 333 deletions
--- a/README.md
+++ b/README.md
@@ -23,13 +23,12 @@ Having Plex and Jellyfin separate from the rest of my docker infrastructure allo
 **Storage:**
 * `/`: 1 TB NVME SSD
 * `/vm_storage`: 2x 240 GB SSD in ZFS mirror for config and data files
-* `/mnt/storage`: mergerfs + SnapRAID pool totaling 150 TiB usable storage with single disk parity (YOLO). Drives run btrfs allowing me to utilize [snapraid-btrfs](https://wiki.selfhosted.show/tools/snapraid-btrfs/) for instant snapshotting
+* `/mnt/storage`: mergerfs + SnapRAID pool totaling ~90 TiB usable storage. Currently single parity disk but hoping to add a second one soon. Drives run btrfs allowing me to utilize [snapraid-btrfs](https://wiki.selfhosted.show/tools/snapraid-btrfs/) for instant snapshotting
 ## Roadmap
 * Flesh out backup strategy with btrfs snapshots and restic (separately)
-* Potentially migrate media pool to ZFS. I've been lucky so far with no drive failures but realistically if I did have one fail, it would take ages to rebuild with single disk parity and I'd be wishing I had a more robust setup.
+* Move everything to Arch VMs on Proxmox
 * Move everything to Arch LXCs on Proxmox
 * Possibly set up second Proxmox node for backups
 * Immich for photo management
 * Look into [Wazuh](https://github.com/wazuh/wazuh) for threat prevention/detection
--- a/ansible/roles/authentik/handlers/main.yml
+++ b/ansible/roles/authentik/handlers/main.yml
@@ -0,0 +1,5 @@
 - name: restart searxng
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    restarted: true
--- a/ansible/roles/authentik/tasks/main.yml
+++ b/ansible/roles/authentik/tasks/main.yml
@@ -0,0 +1,30 @@
 - name: Create install directory
  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Copy docker-compose file to destination
  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
    validate: docker compose -f %s config
  become: true
 - name: Copy settings file to destionation
  template:
    src: settings.yml
    dest: "{{ data_dir }}/{{ role_name }}/settings.yml"
    owner: "{{ docker_user }}"
  become: true
  notify: restart searxng
 - name: Start docker container
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    pull: always
    remove_orphans: yes
--- a/ansible/roles/authentik/templates/docker-compose.yml
+++ b/ansible/roles/authentik/templates/docker-compose.yml
@@ -0,0 +1,37 @@
 networks:
  traefik:
    external: true
 services:
  searxng:
    container_name: searxng
    image: searxng/searxng
    restart: unless-stopped
    networks:
      - traefik
    volumes:
      - "{{ data_dir }}/{{ role_name }}:/etc/searxng"
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    labels:
      traefik.enable: true
      traefik.http.routers.searxng.rule: "Host(`search.{{ personal_domain }}`)"
      traefik.http.routers.searxng.middlewares: lan-whitelist@file
  redis:
    image: redis:alpine
    restart: unless-stopped
    command: redis-server --save "" --appendonly "no"
    tmpfs:
      - /var/lib/redis
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE
--- a/ansible/roles/authentik/templates/settings.yml
+++ b/ansible/roles/authentik/templates/settings.yml
--- a/ansible/roles/authentik/vars/main.yml
+++ b/ansible/roles/authentik/vars/main.yml
@@ -0,0 +1,10 @@
 searxng_secret_key: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  33656138666464373665663339363665346566613637626131363335336535313131333265646539
  3037373439643964343139383764386364623961383737610a313063613736316437366239663238
  65333735633661316463336665353138623264396534383865363134613165636164303765356265
  3865626366613966660a313738353339313133393765643136306361373061366132373130656531
  61396230346333346636356562353733623332333662653164373630626339376433353663313862
  61303230613135336662313531313836363466623162666233646231616333643536303233616231
  62353866333465646162633738383866363338383932623335353038393130323932343363653233
  62663465386661663262
--- a/ansible/roles/barassistant/files/nginx.conf
+++ b/ansible/roles/barassistant/files/nginx.conf
@@ -0,0 +1,22 @@
 server {
    listen 3000 default_server;
    listen [::]:3000 default_server;
    server_name _;
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }
    client_max_body_size 100M;
    location /bar/ {
        proxy_pass http://bar-assistant:3000/;
    }
    location /search/ {
        proxy_pass http://meilisearch:7700/;
    }
    location / {
        proxy_pass http://salt-rim:8080/;
    }
 }
--- a/ansible/roles/barassistant/tasks/main.yml
+++ b/ansible/roles/barassistant/tasks/main.yml
@@ -0,0 +1,44 @@
 - name: Create service user
  user:
    name: "{{ role_name }}"
    system: true
  register: service_user
  become: true
 - name: Create install directory
  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Create data directory
  file:
    path: "{{ data_dir }}/barassistant/barassistant"
    state: directory
    owner: 33
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Copy docker-compose file to destination
  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
    validate: docker compose -f %s config
  become: true
 - name: Copy nginx.conf to destination
  copy:
    src: nginx.conf
    dest: "{{ install_directory }}/{{ role_name }}/nginx.conf"
    mode: "{{ docker_compose_file_mask }}"
  become: true
 - name: Start docker container
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    pull: always
    remove_orphans: yes
--- a/ansible/roles/barassistant/templates/docker-compose.yml
+++ b/ansible/roles/barassistant/templates/docker-compose.yml
@@ -0,0 +1,71 @@
 networks:
  traefik:
    external: true
 services:
  meilisearch:
    image: getmeili/meilisearch:v1.12
    restart: unless-stopped
    networks:
      - default
    environment:
      MEILI_MASTER_KEY: "{{ meili_master_key }}"
      MEILI_ENV: production
    volumes:
      - "{{ data_dir }}/barassistant/meilisearch:/meili_data"
  redis:
    image: redis
    restart: unless-stopped
    networks:
      - default
    environment:
      ALLOW_EMPTY_PASSWORD: "True"
  bar-assistant:
    container_name: bar-assistant
    image: barassistant/server:v5
    restart: unless-stopped
    networks:
      - default
    depends_on:
      - meilisearch
      - redis
    environment:
      APP_URL: "{{ base_url }}/bar"
      LOG_CHANNEL: stderr
      MEILISEARCH_KEY: "{{ meili_master_key }}"
      MEILISEARCH_HOST: http://meilisearch:7700
      REDIS_HOST: redis
      ALLOW_REGISTRATION: "True"
    volumes:
      - "{{ data_dir }}/barassistant/barassistant:/var/www/cocktails/storage/bar-assistant"
  salt-rim:
    image: barassistant/salt-rim:v4
    restart: unless-stopped
    networks:
      - default
    depends_on:
      - bar-assistant
    environment:
      API_URL: "{{ base_url }}/bar"
      MEILISEARCH_URL: "{{ base_url }}/search"
      BAR_NAME: "Cocktails"
      DESCRIPTION: Why is the rum always gone?
      DEFAULT_LOCALE: "en-US"
  webserver:
    image: nginx:alpine
    restart: unless-stopped
    networks:
      - traefik
      - default
    volumes:
      - "./nginx.conf:/etc/nginx/conf.d/default.conf"
    labels:
      traefik.enable: true
      traefik.http.routers.barassistant.rule: "Host(`cocktails.{{ personal_domain }}`)"
      traefik.http.services.barassistant.loadbalancer.server.port: 3000
      traefik.http.routers.bariassistant.middlewares: lan-whitelist@file
--- a/ansible/roles/barassistant/vars/main.yml
+++ b/ansible/roles/barassistant/vars/main.yml
@@ -0,0 +1,15 @@
 meili_master_key: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  61306335316339383330323264646132363837376264646235353562666239386463613431366361
  3333666463623564393061616339393164353465633866320a303530613862386466383161623532
  61653861653032303232666530623739303231363536316530386566313466333236613331303833
  3734656334333366650a366261323139363635316264383966626237396338663030393931313532
  33343737316535336539363135333834333462393330663038376132393661323866656132356566
  39653732366333306134393965383339336330326566303230613362393366383561303939363937
  64396230323664393236303939643337393034646637643766323938663961636639326466653332
  30343132636534613835646163643832373835663030326635323236386361346133633964303137
  36623631353931343861383232373231613837393936316635393838323466656330653835343932
  64333432386133313363626630623837643237616132336664303963323062386365623266623333
  343233663635306361333065313334313361
 base_url: "https://cocktails.{{ personal_domain }}"
--- a/ansible/roles/beets/files/config.yaml
+++ b/ansible/roles/beets/files/config.yaml
@@ -1,7 +1,7 @@
 directory: /music
 per_disc_numbering: yes
-plugins: fetchart embedart web inline lyrics musicbrainz scrub lastgenre replaygain
+plugins: fetchart web inline lyrics
 paths:
    default: $albumartist/$album%aunique{}/%if{$multidisc,$disc}$track - $title
@@ -12,7 +12,7 @@ item_fields:
 import:
    write: yes
-    move: yes
+    hardlink: yes
    resume: ask
    incremental: yes
    quiet_fallback: skip
@@ -28,32 +28,13 @@ embedart:
 fetchart:
    auto: yes
    high_resolution: yes
    source:
      - filesystem
      - itunes
      - coverart
      - amazon
 match:
    strong_rec_thresh: 0.10
    ignored_media: ['12" Vinyl']
 lyrics:
-    sources: [lrclib, genius, tekstowo]
+    sources: [lrclib, genius]
 scrub:
    auto: yes
 replaygain:
    auto: yes
    backend: ffmpeg
 # Consider directory empty even if files matching the below patterns are present
 clutter:
  - "*.jpg"
  - "*.png"
  - "*.nfo"
 replace:
    '^\.': _
    '[\x00-\x1f]': _
--- a/ansible/roles/btc/tasks/bitcoin.yml
+++ b/ansible/roles/btc/tasks/bitcoin.yml
@@ -0,0 +1,11 @@
 - name: Install bitcoin daemon
  ansible.builtin.package:
    name: bitcoin-daemon
    state: present
  become: true
 - name: Enable bitcoind
  ansible.builtin.service:
    name: bitcoind
    state: started
    enabled: yes
--- a/ansible/roles/btc/tasks/tor.yml
+++ b/ansible/roles/btc/tasks/tor.yml
@@ -0,0 +1,6 @@
 - name: Install tor
  ansible.builtin.package:
    name: tor
    state: present
--- a/ansible/roles/btc/tasks/ufw.yml
+++ b/ansible/roles/btc/tasks/ufw.yml
@@ -0,0 +1,32 @@
 - name: Install Uncomplicated Firewall
  ansible.builtin.package:
    name: ufw
    state: present
 # UFW logging can full up the kernel (dmesg) and message logs
 - name: Disable logging
  community.general.ufw:
    logging: 'off'
 - name: Allow OpenSSH inbound
  community.general.ufw:
    rule: allow
    name: OpenSSH # Uses standard profile located in /etc/ufw/applications.d
 - name: Apply rate limiting to ssh inbound
  community.general.ufw:
    rule: limit
    port: ssh
    proto: tcp
 - name: Enable ufw system service
  ansible.builtin.service:
    name: ufw
    state: started
    enabled: yes
 # This is necessary in addition to enabling the system service
 - name: Enable ufw rules
  community.general.ufw:
    state: enabled
    policy: deny
--- a/ansible/roles/deemix/tasks/main.yml
+++ b/ansible/roles/deemix/tasks/main.yml
@@ -0,0 +1,31 @@
 - name: Create service user
  user:
    name: "{{ role_name }}"
    groups: "{{ media_group }}"
    append: yes
    system: true
  register: service_user
  become: true
 - name: Create install directory
  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Copy docker-compose file to destination
  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
    validate: docker compose -f %s config
  become: true
 - name: Start docker container
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    pull: always
    remove_orphans: yes
--- a/ansible/roles/deemix/templates/docker-compose.yml
+++ b/ansible/roles/deemix/templates/docker-compose.yml
@@ -0,0 +1,25 @@
 networks:
  traefik:
    external: true
 services:
  {{ role_name }}:
    container_name: "{{ role_name }}"
    image: registry.gitlab.com/bockiii/deemix-docker
    restart: unless-stopped
    networks:
      - traefik
    environment:
      - "PUID={{ service_user.uid }}"
      - "PGID={{ media_gid }}"
      - "TZ={{ timezone }}"
      - "UMASK_SET=002"
      - "DEEMIX_SINGLE_USER=true"
    volumes:
      - "{{ data_dir }}/{{ role_name }}:/config"
      - "{{ media_storage_mnt }}/data/import/music/deemix:/downloads"
    labels:
      traefik.enable: true
      traefik.http.routers.{{ role_name }}.rule: "Host(`{{ role_name }}.local.{{ personal_domain }}`)"
      traefik.http.routers.{{ role_name }}.middlewares: lan-whitelist@file
--- a/ansible/roles/dispatcharr/templates/docker-compose.yml
+++ b/ansible/roles/dispatcharr/templates/docker-compose.yml
@@ -1,24 +0,0 @@
 networks:
  traefik:
    external: true
 services:
  dispatcharr:
    container_name: "{{ role_name }}"
    image: ghcr.io/dispatcharr/dispatcharr:latest
    restart: unless-stopped
    network_mode: "container:gluetun"
    environment:
      - DISPATCHARR_ENV=aio
      - REDIS_HOST=localhost
      - CELERY_BROKER_URL=redis://localhost:6379/0
      - DISPATCHARR_LOG_LEVEL=info
    volumes:
      - "{{ data_dir }}/{{ role_name }}:/data"
    devices:
      - /dev/dri/renderD128:/dev/dri/renderD128
    labels:
      traefik.enable: true
      traefik.http.routers.dispatcharr.rule: "Host(`dispatcharr.local.{{ personal_domain }}`)"
      traefik.http.routers.dispatcharr.middlewares: lan-whitelist@file
      traefik.http.services.dispatcharr.loadbalancer.server.port: 9191
--- a/ansible/roles/dispatcharr/tasks/main.yml
+++ b/ansible/roles/dispatcharr/tasks/main.yml
@@ -1,5 +1,5 @@
 - name: Create install directory
-  ansible.builtin.file:
+  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
@@ -7,7 +7,7 @@
  become: true
 - name: Copy docker-compose file to destination
-  ansible.builtin.template:
+  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
--- a/ansible/roles/firefly3/templates/docker-compose.yml
+++ b/ansible/roles/firefly3/templates/docker-compose.yml
@@ -0,0 +1,65 @@
 networks:
  firefly_iii:
    driver: bridge
  traefik:
    external: true
 services:
  app:
    image: fireflyiii/core:latest
    container_name: firefly_iii_core
    restart: unless-stopped
    volumes:
      - "{{ data_dir }}/firefly3/upload:/var/www/html/storage/upload"
    depends_on:
      - db
    networks:
      - traefik
      - default
    environment:
      APP_ENV: local
      APP_DEBUG: "false"
      APP_KEY: "{{ app_key }}"
      SITE_OWNER: {{ owner_email_address }}
      DEFAULT_LANGUAGE: "en_US"
      DEFAULT_LOCALE: equal
      TZ: {{ timezone }}
      TRUSTED_PROXIES: "*"
      APP_LOG_LEVEL: notice
      AUDIT_LOG_LEVEL: info
      DB_CONNECTION: mysql
      DB_HOST: db
      DB_PORT: 3306
      DB_DATABASE: firefly
      DB_USERNAME: firefly
      DB_PASSWORD: firefly
      APP_URL: "https://firefly.local.{{ personal_domain }}"
      STATIC_CRON_TOKEN: "Y5uNSbJoK4FKUC9gVE5hq8YFEbFmc6BK"
    labels:
      traefik.enable: true
      traefik.http.routers.firefly.rule: "Host(`firefly.local.{{ personal_domain }}`)"
      traefik.http.routers.firefly.middlewares: lan-whitelist@file
  db:
    image: mariadb
    restart: always
    volumes:
      - "{{ data_dir }}/mariadb/firefly3:/var/lib/mysql"
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
      MYSQL_USER: firefly
      MYSQL_PASSWORD: firefly
      MYSQL_DATABASE: firefly
  cron:
    #
    # To make this work, set STATIC_CRON_TOKEN in your .env file or as an environment variable and replace REPLACEME below
    # The STATIC_CRON_TOKEN must be *exactly* 32 characters long
    #
    image: alpine
    restart: always
    container_name: firefly_iii_cron
    command: sh -c "echo \"0 3 * * * wget -qO- https://firefly.local.{{ personal_domain }}/api/v1/cron/Y5uNSbJoK4FKUC9gVE5hq8YFEbFmc6BK\" | crontab - && crond -f -L /dev/stdout"
    networks:
      - firefly_iii
      - default
--- a/ansible/roles/firefly3/vars/main.yml
+++ b/ansible/roles/firefly3/vars/main.yml
@@ -0,0 +1,17 @@
 owner_email_address: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  61373861363433363938396137653461363830323539316438323861326437663364383032363064
  6438303462336466373233663366303263313139333830330a623465633166653530633961643162
  65303032386661393063393134643436653737666163373833383036316234393563313536353036
  3839663034393730340a626361646463636137636535653632343064353461656532656236633865
  66636634323434356436313737336635363832333262383331333034313530663463
 app_key: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  31333563616230396135363562313038346138633631613832646463343666643733333366303561
  3461316337303862616662333031306231613532383534340a643236306232383466333531626466
  33313830646365333935313237663134343033396166623730303030636438656435313462633762
  3134643738616365330a636366343736306539666565663866626537303431366633646638663563
  32616439336338393663373466323630323733393031633564383737383465313434313230323038
  6534636266653166633539326632623165663436323936643031
--- a/ansible/roles/game-thumbs/templates/docker-compose.yml
+++ b/ansible/roles/game-thumbs/templates/docker-compose.yml
@@ -1,31 +0,0 @@
 services:
  game-thumbs:
    image: ghcr.io/sethwv/game-thumbs:latest
    container_name: game-thumbs
    restart: unless-stopped
    labels:
      - "autoheal=true"
    ports:
      - 3050:3050
    environment:
      PORT: 3050
      NODE_ENV: ${NODE_ENV:-production}
      SHOW_TIMESTAMP: ${SHOW_TIMESTAMP:-true}
      LOG_TO_FILE: ${LOG_TO_FILE:-false}
      MAX_LOG_FILES: ${MAX_LOG_FILES:-10}
    volumes:
      - "{{ data_dir }}/game-thumbs/cache:/app/.cache
    healthcheck:
      test: ["CMD", "node", "-e", "require('http').get('http://localhost:3050/health', (r) => {let d='';r.on('data', (c) => d+=c);r.on('end', () => {if (r.statusCode !== 200) process.exit(1);const j=JSON.parse(d);process.exit(j.status==='ok'?0:1)})}).on('error', () => process.exit(1))"]
      interval: 30s
      timeout: 5s
      start_period: 10s
      retries: 3
  autoheal:
     image: willfarrell/autoheal:latest
     container_name: autoheal
     restart: unless-stopped
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     environment:
       AUTOHEAL_CONTAINER_LABEL: "autoheal"
--- a/ansible/roles/gluetun/templates/docker-compose.yml
+++ b/ansible/roles/gluetun/templates/docker-compose.yml
@@ -1,3 +1,5 @@
 version: "3"
 networks:
  traefik:
    external: true
@@ -19,14 +21,13 @@ services:
      VPN_TYPE: wireguard
      VPN_SERVICE_PROVIDER: custom
      WIREGUARD_PRIVATE_KEY: "{{ torguard_private_key }}"
-      WIREGUARD_PUBLIC_KEY: "fLDSO1YJxryyquen+XupegFQWhsWkGva+g3BtuIRyWs="
+      WIREGUARD_PUBLIC_KEY: "sC96pq087HvVpRNA5oKjiotwGuRRZbdLiTgmqP+Du2s="
      WIREGUARD_ADDRESSES: "{{ torguard_address }}"
-      VPN_ENDPOINT_IP: "38.96.254.100"
+      VPN_ENDPOINT_IP: "146.70.137.122"
      VPN_ENDPOINT_PORT: "1443"
-      FIREWALL_VPN_INPUT_PORTS: "45333"
+      FIREWALL_VPN_INPUT_PORTS: "55230"
      FIREWALL_OUTBOUND_SUBNETS: "10.0.0.0/24"
      DOT: "off"
-      DNS_ADDRESS: "10.8.0.1"
+      DNS_ADDRESS: "9.9.9.9"
      TZ: "{{ timezone }}"
      HTTPPROXY: "on"
      HTTPPROXY_USER: httpproxy
--- a/ansible/roles/gluetun/vars/main.yml
+++ b/ansible/roles/gluetun/vars/main.yml
@@ -1,17 +1,17 @@
 torguard_private_key: !vault |
  $ANSIBLE_VAULT;1.1;AES256
-  30666664646463323238386164393462633236643531656564343835383661623335363562396631
+  38386463313536353366303733396232663136393431656432346332353131333630343730336262
-  3439303437393364353064653338376563383362316237300a616338303763653034656564316630
+  3436633832613935323134393662666233643032613463310a656364653639363739306265306361
-  30626437396531323763633133363565383530393737383064366661313430623936646264373933
+  61616261663139323238636634306330393733393065373138323463653935366335363639626265
-  3734313736356534390a633837333264383233313962326636323534346163353064306539323230
+  3862396562393536320a366335363435636436333139356239306262303838333162613530643732
-  32373237396534366638356631333266386265353862666436323665376339363236336361653937
+  64336161306633343866383538303536316163396566326336633961333136373736373364343430
-  6236396266336637383032643434656234653232303236373931
+  3361613566346563346664353834613361616666383065303162
 torguard_address: !vault |
  $ANSIBLE_VAULT;1.1;AES256
-  38313562363039623039623164373435653833333763653562626434666431666435653037393034
+  61626363346663646462626434316566353464623161396362356330333338616466633266383733
-  6130396230363362633761343636313066333433363135370a333732353335336231366433393631
+  3363393464616534316339393935646438333764383765370a383236613539613866373838353061
-  38393131326565633433363138346363343863393730613936643034353435656438613331343763
+  39393661393035373132663439653361363761613264656462623237336637356162623439336238
-  3138616466623530350a383164616533303461396365316331633061333431366639356637396337
+  6635383734303539640a336366373164336262363630636562636136316166343362306265326163
-  34343533366261343837653763636333326634373935316465613233316564623266
+  39306365613539383666303130633937643238653635393738323665323938646335
--- a/ansible/roles/game-thumbs/tasks/main.yml
+++ b/ansible/roles/game-thumbs/tasks/main.yml
@@ -1,5 +1,5 @@
 - name: Create install directory
-  ansible.builtin.file:
+  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
@@ -7,7 +7,7 @@
  become: true
 - name: Copy docker-compose file to destination
-  ansible.builtin.template:
+  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
--- a/ansible/roles/lubelogger/templates/docker-compose.yml
+++ b/ansible/roles/lubelogger/templates/docker-compose.yml
@@ -0,0 +1,27 @@
 networks:
  traefik:
    external: true
 services:
  lubelogger:
    container_name: lubelogger
    image: ghcr.io/hargata/lubelogger:latest
    restart: unless-stopped
    networks:
      - traefik
    environment:
      - LC_ALL=en_US.UTF-8
      - LANG=en_US.UTF-8
      - MailConfig__EmailServer=""
      - MailConfig__EmailFrom=""
      - MailConfig__Port=587
      - MailConfig__Username=""
      - MailConfig__Password=""
      - LOGGING__LOGLEVEL__DEFAULT=Error
    volumes:
      - "{{ data_dir }}/{{ role_name }}:/App"
    labels:
      traefik.enable: true
      traefik.http.routers.lubelogger.rule: "Host(`lubelogger.local.{{ personal_domain }}`)"
      traefik.http.routers.lubelogger.middlewares: lan-whitelist@file
--- a/ansible/roles/teamarr/tasks/main.yml
+++ b/ansible/roles/teamarr/tasks/main.yml
@@ -1,5 +1,12 @@
 - name: Create service user
  user:
    name: "{{ role_name }}"
    system: true
  register: service_user
  become: true
 - name: Create install directory
-  ansible.builtin.file:
+  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
@@ -7,7 +14,7 @@
  become: true
 - name: Copy docker-compose file to destination
-  ansible.builtin.template:
+  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
--- a/ansible/roles/mealie/templates/docker-compose.yml
+++ b/ansible/roles/mealie/templates/docker-compose.yml
@@ -0,0 +1,66 @@
 networks:
  traefik:
    external: true
  default:
    internal: true
 services:
  mealie-frontend:
    image: hkotel/mealie:frontend-v1.0.0beta-5
    container_name: mealie-frontend
    restart: unless-stopped
    depends_on:
      - mealie-api
    networks:
      - default
      - traefik
    environment:
      - API_URL=http://mealie-api:9000 # 
    volumes:
      - "{{ data_dir }}/mealie:/app/data"
    labels:
      traefik.enable: true
      traefik.http.routers.mealie.rule: "Host(`mealie.{{ personal_domain }}`)"
      traefik.http.services.mealie.loadbalancer.server.port: 3000
  mealie-api:
    image: hkotel/mealie:api-v1.0.0beta-5
    container_name: mealie-api
    restart: unless-stopped
    depends_on:
      - postgres
    networks:
      - default
    volumes:
      - "{{ data_dir }}/mealie:/app/data"
    environment:
      - ALLOW_SIGNUP=false
      - "PUID={{ service_user.uid }}"
      - "PGID={{ service_user.uid }}"
      - "TZ={{ timezone }}"
      - MAX_WORKERS=1
      - WEB_CONCURRENCY=1
      - "BASE_URL=https://mealie.{{ personal_domain }}"
      - DB_ENGINE=postgres
      - POSTGRES_USER=mealie
      - POSTGRES_PASSWORD=mealie
      - POSTGRES_SERVER=postgres
      - POSTGRES_PORT=5432
      - POSTGRES_DB=mealie
      - "DEFAULT_EMAIL={{ email }}"
      - TOKEN_TIME=168
    dns:
      - 10.0.0.1
  postgres:
    container_name: postgres
    image: postgres
    restart: always
    networks:
      - default
    volumes:
      - "{{ data_dir }}/postgres/mealie:/var/lib/postgresql/data"
    environment:
      POSTGRES_PASSWORD: mealie
      POSTGRES_USER: mealie
--- a/ansible/roles/mealie/vars/main.yml
+++ b/ansible/roles/mealie/vars/main.yml
@@ -0,0 +1,7 @@
 email: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  30343965383433393930313337303637353362616563313863396433323939393864393436376534
  6438663537386464623830316136643461356631316436360a636664323436303464376630616639
  62653263633531343733313137303863623562616632313236376466313132636234633438616164
  3030303934343761390a663734333566323234613434633636353665623530643262353162383237
  66633863376332663064346132356238333561663438643232646463646632656361
--- a/ansible/roles/ntfy/handlers/main.yml
+++ b/ansible/roles/ntfy/handlers/main.yml
@@ -0,0 +1,4 @@
 - name: restart ntfy
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/ntfy"
    restarted: true
--- a/ansible/roles/ntfy/tasks/main.yml
+++ b/ansible/roles/ntfy/tasks/main.yml
@@ -0,0 +1,31 @@
 - name: Create install directory
  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Copy docker-compose file to destination
  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
    validate: docker compose -f %s config
  become: true
 - name: Install configuration file
  template:
    src: server.yml
    dest: "{{ data_dir }}/ntfy/server.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
  notify: restart ntfy
  become: true
 - name: Start docker container
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    pull: always
    remove_orphans: yes
--- a/ansible/roles/ntfy/templates/docker-compose.yml
+++ b/ansible/roles/ntfy/templates/docker-compose.yml
@@ -0,0 +1,24 @@
 networks:
  traefik:
    external: true
 services:
  ntfy:
    container_name: ntfy
    image: binwiederhier/ntfy:latest
    restart: unless-stopped
    networks:
      - traefik
    user: "{{ primary_uid }}:{{ primary_gid }}"
    environment:
      - TZ={{ timezone }}
    command:
      - serve
    volumes:
      - "{{ data_dir }}/ntfy:/etc/ntfy"
      - /var/cache/ntfy:/var/cache/ntfy
    labels:
      traefik.enable: true
      traefik.http.routers.ntfy.rule: "Host(`push.{{ personal_domain }}`)"
      traefik.http.routers.ntfy.middlewares: lan-whitelist@file
--- a/ansible/roles/ntfy/templates/server.yml
+++ b/ansible/roles/ntfy/templates/server.yml
@@ -0,0 +1,279 @@
 # ntfy server config file
 #
 # Please refer to the documentation at https://ntfy.sh/docs/config/ for details.
 # All options also support underscores (_) instead of dashes (-) to comply with the YAML spec.
 # Public facing base URL of the service (e.g. https://ntfy.sh or https://ntfy.example.com)
 #
 # This setting is required for any of the following features:
 # - attachments (to return a download URL)
 # - e-mail sending (for the topic URL in the email footer)
 # - iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic)
 # - Matrix Push Gateway (to validate that the pushkey is correct)
 #
 base-url: "https://push.{{ personal_domain }}"
 # Listen address for the HTTP & HTTPS web server. If "listen-https" is set, you must also
 # set "key-file" and "cert-file". Format: [<ip>]:<port>, e.g. "1.2.3.4:8080".
 #
 # To listen on all interfaces, you may omit the IP address, e.g. ":443".
 # To disable HTTP, set "listen-http" to "-".
 #
 # listen-http: ":80"
 # listen-https:
 # Listen on a Unix socket, e.g. /var/lib/ntfy/ntfy.sock
 # This can be useful to avoid port issues on local systems, and to simplify permissions.
 #
 # listen-unix: <socket-path>
 # listen-unix-mode: <linux permissions, e.g. 0700>
 # Path to the private key & cert file for the HTTPS web server. Not used if "listen-https" is not set.
 #
 # key-file: <filename>
 # cert-file: <filename>
 # If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app.
 # This is optional and only required to save battery when using the Android app.
 #
 # firebase-key-file: <filename>
 # If "cache-file" is set, messages are cached in a local SQLite database instead of only in-memory.
 # This allows for service restarts without losing messages in support of the since= parameter.
 #
 # The "cache-duration" parameter defines the duration for which messages will be buffered
 # before they are deleted. This is required to support the "since=..." and "poll=1" parameter.
 # To disable the cache entirely (on-disk/in-memory), set "cache-duration" to 0.
 # The cache file is created automatically, provided that the correct permissions are set.
 #
 # The "cache-startup-queries" parameter allows you to run commands when the database is initialized,
 # e.g. to enable WAL mode (see https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)).
 # Example:
 #    cache-startup-queries: |
 #       pragma journal_mode = WAL;
 #       pragma synchronous = normal;
 #       pragma temp_store = memory;
 #       pragma busy_timeout = 15000;
 #       vacuum;
 #
 # The "cache-batch-size" and "cache-batch-timeout" parameter allow enabling async batch writing
 # of messages. If set, messages will be queued and written to the database in batches of the given
 # size, or after the given timeout. This is only required for high volume servers.
 #
 # Debian/RPM package users:
 #   Use /var/cache/ntfy/cache.db as cache file to avoid permission issues. The package
 #   creates this folder for you.
 #
 # Check your permissions:
 #   If you are running ntfy with systemd, make sure this cache file is owned by the
 #   ntfy user and group by running: chown ntfy.ntfy <filename>.
 #
 # cache-file: <filename>
 # cache-duration: "12h"
 # cache-startup-queries:
 # cache-batch-size: 0
 # cache-batch-timeout: "0ms"
 # If set, access to the ntfy server and API can be controlled on a granular level using
 # the 'ntfy user' and 'ntfy access' commands. See the --help pages for details, or check the docs.
 #
 # - auth-file is the SQLite user/access database; it is created automatically if it doesn't already exist
 # - auth-default-access defines the default/fallback access if no access control entry is found; it can be
 #   set to "read-write" (default), "read-only", "write-only" or "deny-all".
 # - auth-startup-queries allows you to run commands when the database is initialized, e.g. to enable
 #   WAL mode. This is similar to cache-startup-queries. See above for details.
 #
 # Debian/RPM package users:
 #   Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package
 #   creates this folder for you.
 #
 # Check your permissions:
 #   If you are running ntfy with systemd, make sure this user database file is owned by the
 #   ntfy user and group by running: chown ntfy.ntfy <filename>.
 #
 # auth-file: <filename>
 # auth-default-access: "read-write"
 # auth-startup-queries:
 # If set, the X-Forwarded-For header is used to determine the visitor IP address
 # instead of the remote address of the connection.
 #
 # WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited
 #          as if they are one.
 #
 behind-proxy: true
 # If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments
 # are "attachment-cache-dir" and "base-url".
 #
 # - attachment-cache-dir is the cache directory for attached files
 # - attachment-total-size-limit is the limit of the on-disk attachment cache directory (total size)
 # - attachment-file-size-limit is the per-file attachment size limit (e.g. 300k, 2M, 100M)
 # - attachment-expiry-duration is the duration after which uploaded attachments will be deleted (e.g. 3h, 20h)
 #
 attachment-cache-dir: "/var/cache/ntfy/attachments"
 # attachment-total-size-limit: "5G"
 # attachment-file-size-limit: "15M"
 # attachment-expiry-duration: "3h"
 # If enabled, allow outgoing e-mail notifications via the 'X-Email' header. If this header is set,
 # messages will additionally be sent out as e-mail using an external SMTP server. As of today, only
 # SMTP servers with plain text auth and STARTLS are supported. Please also refer to the rate limiting settings
 # below (visitor-email-limit-burst & visitor-email-limit-burst).
 #
 # - smtp-sender-addr is the hostname:port of the SMTP server
 # - smtp-sender-user/smtp-sender-pass are the username and password of the SMTP user
 # - smtp-sender-from is the e-mail address of the sender
 #
 # smtp-sender-addr:
 # smtp-sender-user:
 # smtp-sender-pass:
 # smtp-sender-from:
 # If enabled, ntfy will launch a lightweight SMTP server for incoming messages. Once configured, users can send
 # emails to a topic e-mail address to publish messages to a topic.
 #
 # - smtp-server-listen defines the IP address and port the SMTP server will listen on, e.g. :25 or 1.2.3.4:25
 # - smtp-server-domain is the e-mail domain, e.g. ntfy.sh
 # - smtp-server-addr-prefix is an optional prefix for the e-mail addresses to prevent spam. If set to "ntfy-",
 #   for instance, only e-mails to ntfy-$topic@ntfy.sh will be accepted. If this is not set, all emails to
 #   $topic@ntfy.sh will be accepted (which may obviously be a spam problem).
 #
 # smtp-server-listen:
 # smtp-server-domain:
 # smtp-server-addr-prefix:
 # Interval in which keepalive messages are sent to the client. This is to prevent
 # intermediaries closing the connection for inactivity.
 #
 # Note that the Android app has a hardcoded timeout at 77s, so it should be less than that.
 #
 # keepalive-interval: "45s"
 # Interval in which the manager prunes old messages, deletes topics
 # and prints the stats.
 #
 # manager-interval: "1m"
 # Defines topic names that are not allowed, because they are otherwise used. There are a few default topics
 # that cannot be used (e.g. app, account, settings, ...). To extend the default list, define them here.
 #
 # Example:
 #   disallowed-topics:
 #     - about
 #     - pricing
 #     - contact
 #
 # disallowed-topics:
 # Defines if the root route (/) is pointing to the landing page (as on ntfy.sh) or the
 # web app. If you self-host, you don't want to change this.
 # Can be "app" (default), "home" or "disable" to disable the web app entirely.
 #
 # web-root: app
 # Various feature flags used to control the web app, and API access, mainly around user and
 # account management.
 #
 # - enable-signup allows users to sign up via the web app, or API
 # - enable-login allows users to log in via the web app, or API
 # - enable-reservations allows users to reserve topics (if their tier allows it)
 #
 # enable-signup: false
 # enable-login: false
 # enable-reservations: false
 # Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh").
 #
 # iOS users:
 #   If you use the iOS ntfy app, you MUST configure this to receive timely notifications. You'll like want this:
 #   upstream-base-url: "https://ntfy.sh"
 #
 # If set, all incoming messages will publish a "poll_request" message to the configured upstream server, containing
 # the message ID of the original message, instructing the iOS app to poll this server for the actual message contents.
 # This is to prevent the upstream server and Firebase/APNS from being able to read the message.
 #
 # upstream-base-url:
 # Rate limiting: Total number of topics before the server rejects new topics.
 #
 # global-topic-limit: 15000
 # Rate limiting: Number of subscriptions per visitor (IP address)
 #
 # visitor-subscription-limit: 30
 # Rate limiting: Allowed GET/PUT/POST requests per second, per visitor:
 # - visitor-request-limit-burst is the initial bucket of requests each visitor has
 # - visitor-request-limit-replenish is the rate at which the bucket is refilled
 # - visitor-request-limit-exempt-hosts is a comma-separated list of hostnames, IPs or CIDRs to be
 #   exempt from request rate limiting. Hostnames are resolved at the time the server is started.
 #   Example: "1.2.3.4,ntfy.example.com,8.7.6.0/24"
 #
 # visitor-request-limit-burst: 60
 # visitor-request-limit-replenish: "5s"
 # visitor-request-limit-exempt-hosts: ""
 # Rate limiting: Hard daily limit of messages per visitor and day. The limit is reset
 # every day at midnight UTC. If the limit is not set (or set to zero), the request
 # limit (see above) governs the upper limit.
 #
 # visitor-message-daily-limit: 0
 # Rate limiting: Allowed emails per visitor:
 # - visitor-email-limit-burst is the initial bucket of emails each visitor has
 # - visitor-email-limit-replenish is the rate at which the bucket is refilled
 #
 # visitor-email-limit-burst: 16
 # visitor-email-limit-replenish: "1h"
 # Rate limiting: Attachment size and bandwidth limits per visitor:
 # - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor
 # - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor
 #
 # visitor-attachment-total-size-limit: "100M"
 # visitor-attachment-daily-bandwidth-limit: "500M"
 # Payments integration via Stripe
 #
 # - stripe-secret-key is the key used for the Stripe API communication. Setting this values
 #   enables payments in the ntfy web app (e.g. Upgrade dialog). See https://dashboard.stripe.com/apikeys.
 # - stripe-webhook-key is the key required to validate the authenticity of incoming webhooks from Stripe.
 #   Webhooks are essential up keep the local database in sync with the payment provider. See https://dashboard.stripe.com/webhooks.
 #
 # stripe-secret-key:
 # stripe-webhook-key:
 # Logging options
 #
 # By default, ntfy logs to the console (stderr), with an "info" log level, and in a human-readable text format.
 # ntfy supports five different log levels, can also write to a file, log as JSON, and even supports granular
 # log level overrides for easier debugging. Some options (log-level and log-level-overrides) can be hot reloaded
 # by calling "kill -HUP $pid" or "systemctl reload ntfy".
 #
 # - log-format defines the output format, can be "text" (default) or "json"
 # - log-file is a filename to write logs to. If this is not set, ntfy logs to stderr.
 # - log-level defines the default log level, can be one of "trace", "debug", "info" (default), "warn" or "error".
 #   Be aware that "debug" (and particularly "trace") can be VERY CHATTY. Only turn them on briefly for debugging purposes.
 # - log-level-overrides lets you override the log level if certain fields match. This is incredibly powerful
 #   for debugging certain parts of the system (e.g. only the account management, or only a certain visitor).
 #   This is an array of strings in the format:
 #      - "field=value -> level" to match a value exactly, e.g. "tag=manager -> trace"
 #      - "field -> level" to match any value, e.g. "time_taken_ms -> debug"
 #   Warning: Using log-level-overrides has a performance penalty. Only use it for temporary debugging.
 #
 # Example (good for production):
 #   log-level: info
 #   log-format: json
 #   log-file: /var/log/ntfy.log
 #
 # Example level overrides (for debugging, only use temporarily):
 #   log-level-overrides:
 #      - "tag=manager -> trace"
 #      - "visitor_ip=1.2.3.4 -> debug"
 #      - "time_taken_ms -> debug"
 #
 # log-level: info
 # log-level-overrides:
 # log-format: text
 # log-file:
--- a/ansible/roles/qbittorrent/tasks/main.yml
+++ b/ansible/roles/qbittorrent/tasks/main.yml
@@ -30,6 +30,7 @@
    dest: "{{ data_dir }}/qbitmanage/config.yml"
    owner: "{{ service_user.uid }}"
    mode: "{{ docker_compose_file_mask }}"
  notify: restart qbittorrent
  become: true
 - name: Create cross-seed config directory
@@ -46,6 +47,7 @@
    dest: "{{ data_dir }}/cross-seed/config.js"
    owner: "{{ service_user.uid }}"
    mode: "{{ docker_compose_file_mask }}"
  notify: restart qbittorrent
  become: true
 - name: Start docker containers
--- a/ansible/roles/qbittorrent/templates/cross-seed/config.js
+++ b/ansible/roles/qbittorrent/templates/cross-seed/config.js
@@ -4,10 +4,10 @@ module.exports = {
    delay: 30,
    torznab: [
 	    "http://prowlarr.local.{{ personal_domain }}/3/api?apikey={{ prowlarr_api_key }}", // ImmortalSeed
 	    "http://prowlarr.local.{{ personal_domain }}/6/api?apikey={{ prowlarr_api_key }}", // Aither
 	    "http://prowlarr.local.{{ personal_domain }}/7/api?apikey={{ prowlarr_api_key }}", // Reelflix
 	    "http://prowlarr.local.{{ personal_domain }}/9/api?apikey={{ prowlarr_api_key }}", // LST
 	    "http://prowlarr.local.{{ personal_domain }}/10/api?apikey={{ prowlarr_api_key }}", // MyAnonaMouse
 	    "http://prowlarr.local.{{ personal_domain }}/12/api?apikey={{ prowlarr_api_key }}", // Blutopia
 	    "http://prowlarr.local.{{ personal_domain }}/13/api?apikey={{ prowlarr_api_key }}", // hawke-uno
 	    "http://prowlarr.local.{{ personal_domain }}/16/api?apikey={{ prowlarr_api_key }}", // AlphaRatio
@@ -15,11 +15,7 @@ module.exports = {
 	    "http://prowlarr.local.{{ personal_domain }}/19/api?apikey={{ prowlarr_api_key }}", // Cathode-Ray.Tube
 	    "http://prowlarr.local.{{ personal_domain }}/25/api?apikey={{ prowlarr_api_key }}", // seedpool
 	    "http://prowlarr.local.{{ personal_domain }}/27/api?apikey={{ prowlarr_api_key }}", // Upload.cx
-	    "http://prowlarr.local.{{ personal_domain }}/28/api?apikey={{ prowlarr_api_key }}", // AnimeBytes
+	    "http://prowlarr.local.{{ personal_domain }}/29/api?apikey={{ prowlarr_api_key }}", // IPTorrents
 	    "http://prowlarr.local.{{ personal_domain }}/30/api?apikey={{ prowlarr_api_key }}", // DocsPedia
 	    "http://prowlarr.local.{{ personal_domain }}/31/api?apikey={{ prowlarr_api_key }}", // OnlyEncodes+
 	    "http://prowlarr.local.{{ personal_domain }}/32/api?apikey={{ prowlarr_api_key }}", // Anthelion
 	    "http://prowlarr.local.{{ personal_domain }}/33/api?apikey={{ prowlarr_api_key }}", // OldToonsWorld
    ],
    outputDir: null,
@@ -29,7 +25,7 @@ module.exports = {
    excludeOlder: "12w",
    excludeRecentSearch: "3w",
    action: "inject",
-    torrentClients: ["qbittorrent:https://qui.local.{{ personal_domain }}/proxy/{{ qui_crossseed_api_key }}"],
+    torrentClients: ["qbittorrent:https://admin:password@qbittorrent.local.{{ personal_domain }}"],
    sonarr: ["https://sonarr.local.{{ personal_domain }}/?apikey={{ sonarr_api_key }}"],
    radarr: ["https://radarr.local.{{ personal_domain }}/?apikey={{ radarr_api_key }}"],
    seasonsFromEpisodes: 0.8,
--- a/ansible/roles/qbittorrent/templates/docker-compose.yml
+++ b/ansible/roles/qbittorrent/templates/docker-compose.yml
@@ -5,7 +5,7 @@ networks:
 services:
  qbittorrent:
    container_name: qbittorrent
-    image: lscr.io/linuxserver/qbittorrent:5.1.4
+    image: lscr.io/linuxserver/qbittorrent:5.1.2
    restart: unless-stopped
    network_mode: "container:gluetun"
    environment:
@@ -13,7 +13,7 @@ services:
      - "PGID={{ media_gid }}"
      - "TZ={{ timezone }}"
      - "UMASK=002"
-      #- DOCKER_MODS=arafatamim/linuxserver-io-mod-vuetorrent
+      - DOCKER_MODS=arafatamim/linuxserver-io-mod-vuetorrent
    volumes:
      - "{{ data_dir }}/{{ role_name }}:/config"
      - "{{ media_storage_mnt }}/data/torrents:/data/torrents"
@@ -52,3 +52,26 @@ services:
      - "{{ media_storage_mnt }}/data/torrents:/data/torrents" # Necessary for partial matching
    command: daemon
    restart: unless-stopped
  unpackerr:
    container_name: unpackerr
    image: ghcr.io/hotio/unpackerr
    networks:
      - starr
    environment:
      - "PUID={{ service_user.uid }}"
      - "PGID={{ media_gid }}"
      - UMASK=002
      - TZ={{ timezone }}
      - UN_INTERVAL=5m
      - UN_FILE_MODE=0664
      - UN_DIR_MODE=0775
      - UN_SONARR_0_URL=http://sonarr:8989
      - "UN_SONARR_0_API_KEY={{ sonarr_api_key }}"
      - UN_SONARR_0_PATHS_0=/data/torrents/tv
      - UN_RADARR_0_URL=http://radarr:7878
      - "UN_RADARR_0_API_KEY={{ radarr_api_key }}"
      - UN_RADARR_0_PATHS_0=/data/torrents/movies
    volumes:
      - "{{ data_dir }}/unpackerr:/config"
      - "{{ media_storage_mnt }}/data/torrents:/data/torrents"
--- a/ansible/roles/qbittorrent/templates/qbitmanage/config.yml
+++ b/ansible/roles/qbittorrent/templates/qbitmanage/config.yml
@@ -5,11 +5,11 @@ commands:
  recheck: True
  tag_update: True
  rem_unregistered: True
-  rem_orphaned: True
+  remove_orphaned: True
  tag_nohardlinks: True
 qbt:
-  host: "https://qui.local.{{ personal_domain }}/proxy/{{ qui_qbitmanage_api_key }}"
+  host: "https://qbittorrent.local.{{ personal_domain }}"
  user:
  pass:
@@ -41,32 +41,36 @@ cat:
 tracker:
  hawke:
    tag: HUNO
  digitalcore:
    tag: DigitalCore
  myanonamouse:
    tag: MaM
  torrentleech|tleechreload:
-    tag: TL
+    tag: TorrentLeech
  aither:
-    tag: ATH
+    tag: Aither
  nyaa:
    tag: Nyaa
  animetosho:
    tag: AnimeTosho
  immortalseed:
    tag: ImmortalSeed
  torrentseeds:
    tag: TorrentSeeds
  ops:
-    tag: OPS
+    tag: Orpheus
  reelflix:
-    tag: RFX
+    tag: ReelFlix
  blutopia:
-    tag: BLU
+    tag: Blu
  lst:
    tag: LST
  speed:
    tag: Speed.CD
  alpharatio:
-    tag: AR
+    tag: AlphaRatio
  filelist:
-    tag: FL
+    tag: FileList
  skipthecommericals.xyz:
    tag: STC
  cathode:
@@ -74,19 +78,11 @@ tracker:
  t-ru.org:
    tag: rutracker
  seedpool|seedpool.org:
-    tag: SP
+    tag: seedpool
-  upload.cx:
+  upload:
    tag: ULCX
  archlinux:
    tag: archlinux
  animebytes:
    tag: AB
  anthelion:
    tag: ANT
  onlyencodes:
    tag: OE+
  oldtoons:
    tag: OTW
  other:
    tag: other
@@ -103,7 +99,7 @@ share_limits:
    priority: 1
    include_all_tags:
      - noHL
-    max_seeding_time: 40320 # 4 weeks
+    max_seeding_time: 28800 # 20 days
    cleanup: true
    add_group_to_tag: false
  isos:
@@ -113,14 +109,28 @@ share_limits:
    max_seeding_time: 129600 # 90 days
    cleanup: true
    add_group_to_tag: false
-  big: # Set speed limit on bandwidth hogs
+  tl_cross-seed:
    priority: 9
-    include_any_tags:
+    include_all_tags:
      - cross-seed
      - TorrentLeech
      - FileList
      - AlphaRatio
    limit_upload_speed: 100 # 100 KiBps
    add_group_to_tag: false
  public_trackers:
    priority: 10
    include_any_tags:
      - Nyaa
      - AnimeTosho
      - rutracker
    categories:
      - movies
      - tv
    max_ratio: 2
    max_seeding_time: 21600 # 15 days
    limit_upload_speed: 5000 # 5 MiBps
    cleanup: true
    add_group_to_tag: false
 recyclebin:
  enabled: true
--- a/ansible/roles/qbittorrent/vars/main.yml
+++ b/ansible/roles/qbittorrent/vars/main.yml
@@ -33,25 +33,3 @@ crossseed_webhook_endpoint: !vault |
  37633631313965396233613333373832353463653337393861393335373661393163343037306130
  6337376662653463316530313863613532633338623731356536
 qui_crossseed_api_key: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  31663334373665646433616663326336306631653833373765366463373166316661333463316235
  3861633161623034356431383030326233353836656466390a386534356665633561376263363030
  63383766383535366530306238393836613337366136363037313364336164383366636166623265
  3964366637613866300a653231333566356566616537356330613938353464303530616232306238
  32666665653534653765653034396232663161323261623237373739333634383038346562613063
  65653332666336613861363965393562366465666261666536396231303461656162373436633830
  63326536613230626563626232363835373635323533333332373136356430393439316666386439
  65356230376630376630
 qui_qbitmanage_api_key: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  39616437313930376137323434396438333562316565306233316166383465333134623836633365
  6136333039373366396461356665333236326539323731380a653664656637313933346533396433
  33643430343437623132666233383434613066346338646232666539633066333662343565336466
  3031323265343936660a366265313430663330643132373233383765633066396566343963663662
  61386365653233366237363062336539653361373930383530653031656638356533313061626635
  33663932666536396431626363623437326133646661653834376335373562353065323633326234
  33316338653865326534336530656231643830616434396637306561376436633632343731623065
  37343434326461346465
--- a/ansible/roles/readarr/tasks/main.yml
+++ b/ansible/roles/readarr/tasks/main.yml
@@ -0,0 +1,31 @@
 - name: Create service user
  user:
    name: "{{ role_name }}"
    groups: "{{ media_group }}"
    append: yes
    system: true
  register: service_user
  become: true
 - name: Create install directory
  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Copy docker-compose file to destination
  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
    validate: docker compose -f %s config
  become: true
 - name: Start docker container
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    pull: always
    remove_orphans: yes
--- a/ansible/roles/readarr/templates/docker-compose.yml
+++ b/ansible/roles/readarr/templates/docker-compose.yml
@@ -0,0 +1,24 @@
 networks:
  traefik:
    external: true
 services:
  {{ role_name }}:
    container_name: "{{ role_name }}"
    image: cr.hotio.dev/hotio/readarr
    restart: unless-stopped
    networks:
      - traefik
    environment:
      - "PUID={{ service_user.uid }}"
      - "PGID={{ media_gid }}"
      - "TZ={{ timezone }}"
      - "UMASK=002"
    volumes:
      - "{{ data_dir }}/{{ role_name }}:/config"
      - "{{ media_storage_mnt }}/data:/data"
    labels:
      traefik.enable: true
      traefik.http.routers.{{ role_name }}.rule: "Host(`{{ role_name }}.local.{{ personal_domain }}`)"
      traefik.http.routers.{{ role_name }}.middlewares: lan-whitelist@file
--- a/ansible/roles/recyclarr/files/includes/radarr-anime-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/radarr-anime-custom_formats.yml
@@ -48,9 +48,3 @@ custom_formats:
    assign_scores_to:
      - name: Anime
        score: 10 # Prefer dual audio within the same tier but not over higher quality releases 
  - trash_ids:
      - 923b6abef9b17f937fab56cfcf89e1f1 # DV (w/o HDR fallback)
    assign_scores_to:
      - name: Anime
        score: -10000
--- a/ansible/roles/recyclarr/files/includes/radarr-not_4k-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/radarr-not_4k-custom_formats.yml
@@ -41,6 +41,24 @@ custom_formats:
      - c9fd353f8f5f1baf56dc601c4cb29920 # PCOK
      - c2863d2a50c9acad1fb50e53ece60817 # STAN
      # Audio
      - 496f355514737f7d83bf7aa4d24f8169 # TrueHD Atmos
      - 2f22d89048b01681dde8afe203bf2e95 # DTS:X
      - 417804f7f2c4308c1f4c5d380d4c4475 # Atmos (undefined)
      - 1af239278386be2919e1bcee0bde047e # DD+ Atmos
      - 3cafb66171b47f226146a0770576870f # TrueHD
      - dcf3ec6938fa32445f590a4da84256cd # DTS-HD MA
      - a570d4a0e56a2874b64e5bfa55202a1b # FLAC
      - e7c2fcae07cbada050a0af3357491d7b # PCM
      - 8e109e50e0a0b83a5098b056e13bf6db # DTS-HD HRA
      - 185f1dd7264c4562b9022d963ac37424 # DD+
      - f9f847ac70a0af62ea4a08280b859636 # DTS-ES
      - 1c1a4c5e823891c75bc50380a6866f73 # DTS
      - 240770601cc226190c367ef59aba7463 # AAC
      - c2998bd0d90ed5621d8df281e839436e # DD
      - 6ba9033150e7896bdc9ec4b44f2b230f # MP3
      - a061e2e700f81932daf888599f8a8273 # Opus
      # Movie Versions
      - 570bc9ebecd92723d2d21500f4be314c # Remaster
      - eca37840c13c6ef2dd0262b141a5482f # 4K Remaster
--- a/ansible/roles/recyclarr/files/includes/radarr-old-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/radarr-old-custom_formats.yml
@@ -44,6 +44,24 @@ custom_formats:
      - c9fd353f8f5f1baf56dc601c4cb29920 # PCOK
      - c2863d2a50c9acad1fb50e53ece60817 # STAN
      # Audio
      - 496f355514737f7d83bf7aa4d24f8169 # TrueHD Atmos
      - 2f22d89048b01681dde8afe203bf2e95 # DTS:X
      - 417804f7f2c4308c1f4c5d380d4c4475 # Atmos (undefined)
      - 1af239278386be2919e1bcee0bde047e # DD+ Atmos
      - 3cafb66171b47f226146a0770576870f # TrueHD
      - dcf3ec6938fa32445f590a4da84256cd # DTS-HD MA
      - a570d4a0e56a2874b64e5bfa55202a1b # FLAC
      - e7c2fcae07cbada050a0af3357491d7b # PCM
      - 8e109e50e0a0b83a5098b056e13bf6db # DTS-HD HRA
      - 185f1dd7264c4562b9022d963ac37424 # DD+
      - f9f847ac70a0af62ea4a08280b859636 # DTS-ES
      - 1c1a4c5e823891c75bc50380a6866f73 # DTS
      - 240770601cc226190c367ef59aba7463 # AAC
      - c2998bd0d90ed5621d8df281e839436e # DD
      - 6ba9033150e7896bdc9ec4b44f2b230f # MP3
      - a061e2e700f81932daf888599f8a8273 # Opus
      # Movie Versions
      - 570bc9ebecd92723d2d21500f4be314c # Remaster
      - eca37840c13c6ef2dd0262b141a5482f # 4K Remaster
--- a/ansible/roles/recyclarr/files/includes/radarr-remux-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/radarr-remux-custom_formats.yml
@@ -44,6 +44,24 @@ custom_formats:
      - c9fd353f8f5f1baf56dc601c4cb29920 # PCOK
      - c2863d2a50c9acad1fb50e53ece60817 # STAN
      # Audio
      - 496f355514737f7d83bf7aa4d24f8169 # TrueHD Atmos
      - 2f22d89048b01681dde8afe203bf2e95 # DTS:X
      - 417804f7f2c4308c1f4c5d380d4c4475 # Atmos (undefined)
      - 1af239278386be2919e1bcee0bde047e # DD+ Atmos
      - 3cafb66171b47f226146a0770576870f # TrueHD
      - dcf3ec6938fa32445f590a4da84256cd # DTS-HD MA
      - a570d4a0e56a2874b64e5bfa55202a1b # FLAC
      - e7c2fcae07cbada050a0af3357491d7b # PCM
      - 8e109e50e0a0b83a5098b056e13bf6db # DTS-HD HRA
      - 185f1dd7264c4562b9022d963ac37424 # DD+
      - f9f847ac70a0af62ea4a08280b859636 # DTS-ES
      - 1c1a4c5e823891c75bc50380a6866f73 # DTS
      - 240770601cc226190c367ef59aba7463 # AAC
      - c2998bd0d90ed5621d8df281e839436e # DD
      - 6ba9033150e7896bdc9ec4b44f2b230f # MP3
      - a061e2e700f81932daf888599f8a8273 # Opus
      # Movie Versions
      - 570bc9ebecd92723d2d21500f4be314c # Remaster
      - eca37840c13c6ef2dd0262b141a5482f # 4K Remaster
--- a/ansible/roles/recyclarr/files/includes/radarr-web-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/radarr-web-custom_formats.yml
@@ -44,6 +44,24 @@ custom_formats:
      - c9fd353f8f5f1baf56dc601c4cb29920 # PCOK
      - c2863d2a50c9acad1fb50e53ece60817 # STAN
      # Audio
      - 496f355514737f7d83bf7aa4d24f8169 # TrueHD Atmos
      - 2f22d89048b01681dde8afe203bf2e95 # DTS:X
      - 417804f7f2c4308c1f4c5d380d4c4475 # Atmos (undefined)
      - 1af239278386be2919e1bcee0bde047e # DD+ Atmos
      - 3cafb66171b47f226146a0770576870f # TrueHD
      - dcf3ec6938fa32445f590a4da84256cd # DTS-HD MA
      - a570d4a0e56a2874b64e5bfa55202a1b # FLAC
      - e7c2fcae07cbada050a0af3357491d7b # PCM
      - 8e109e50e0a0b83a5098b056e13bf6db # DTS-HD HRA
      - 185f1dd7264c4562b9022d963ac37424 # DD+
      - f9f847ac70a0af62ea4a08280b859636 # DTS-ES
      - 1c1a4c5e823891c75bc50380a6866f73 # DTS
      - 240770601cc226190c367ef59aba7463 # AAC
      - c2998bd0d90ed5621d8df281e839436e # DD
      - 6ba9033150e7896bdc9ec4b44f2b230f # MP3
      - a061e2e700f81932daf888599f8a8273 # Opus
      # Movie Versions
      - 570bc9ebecd92723d2d21500f4be314c # Remaster
      - eca37840c13c6ef2dd0262b141a5482f # 4K Remaster
--- a/ansible/roles/recyclarr/files/includes/sonarr-anime-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-anime-custom_formats.yml
@@ -68,6 +68,31 @@ custom_formats:
      - c2216b7b8aa545dc1ce8388c618f8d57 # HD Bluray Tier 02
      - d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene
      # Audio Advanced
      - 0d7824bb924701997f874e7ff7d4844a # TrueHD Atmos
      - 9d00418ba386a083fbf4d58235fc37ef # DTS:X
      - b6fbafa7942952a13e17e2b1152b539a # Atmos (undefined)
      - 4232a509ce60c4e208d13825b7c06264 # DDPlus Atmos
      - 1808e4b9cee74e064dfae3f1db99dbfe # TrueHD
      - c429417a57ea8c41d57e6990a8b0033f # DTS-HD MA
      - 851bd64e04c9374c51102be3dd9ae4cc # FLAC
      - 30f70576671ca933adbdcfc736a69718 # PCM
      - cfa5fbd8f02a86fc55d8d223d06a5e1f # DTS-HD HRA
      - 63487786a8b01b7f20dd2bc90dd4a477 # DDPlus
      - c1a25cd67b5d2e08287c957b1eb903ec # DTS-ES
      - 5964f2a8b3be407d083498e4459d05d0 # DTS
      - a50b8a0c62274a7c38b09a9619ba9d86 # AAC
      - dbe00161b08a25ac6154c55f95e6318d # DD
      - 3e8b714263b26f486972ee1e0fe7606c # MP3
      - 28f6ef16d61e2d1adfce3156ed8257e3 # Opus
      - bd6dd5e043aa27ff4696a08d011c7d96 # 1.0 Mono
      - 834e534f103938853ffced4203b53e72 # 2.0 Stereo
      - 42cba7e38c7947a6d1d0a62580ee6d62 # 3.0 Sound
      - 1895195e84767de180653914ce207245 # 4.0 Sound
      - 3fbafa924f361e66fbc6187af82dfa85 # 5.1 Surround
      - 9fb6d778592c293467437593ef394bf1 # 6.1 Surround
      - 204c8c3e7315bb0ea81332774fa888d6 # 7.1 Surround
      # Unwanted
      - 15a05bc7c1a36e2b57fd628f8977e2fc # AV1
      - b4a1b3d705159cdca36d71e57ca86871 # Anime Raws
@@ -83,3 +108,9 @@ custom_formats:
    assign_scores_to:
      - name: Anime
        score: 10 # Prefer dual audio within the same tier but don't prefer over higher quality releases 
  - trash_ids:
      - 3bc5f395426614e155e585a2f056cdf1 # Season Pack
    assign_scores_to:
      - name: Anime
        score: 10 # Prefer season packs over single episode releases
--- a/ansible/roles/recyclarr/files/includes/sonarr-encode-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-encode-custom_formats.yml
@@ -1,68 +0,0 @@
 custom_formats:
  - trash_ids:
      # HDR Formats
      - 2b239ed870daba8126a53bd5dc8dc1c8 # DV HDR10+
      - 7878c33f1963fefb3d6c8657d46c2f0a # DV HDR10
      - 6d0d8de7b57e35518ac0308b0ddf404e # DV
      - 1f733af03141f068a540eec352589a89 # DV HLG
      - 27954b0a80aab882522a88a4d9eae1cd # DV SDR
      - a3d82cbef5039f8d295478d28a887159 # HDR10+
      - 3497799d29a085e2ac2df9d468413c94 # HDR10
      - 3e2c4e748b64a1a1118e0ea3f4cf6875 # HDR
      - bb019e1cd00f304f80971c965de064dc # HDR (undefined)
      - 2a7e3be05d3861d6df7171ec74cad727 # PQ
      - 17e889ce13117940092308f48b48b45b # HLG
      - 9b27ab6498ec0f31a3353992e19434ca # DV (WEBDL)
      # Miscellaneous
      - ec8fa7296b64e8cd390a1600981f3923 # Repack/Proper
      - eb3d5cc0a2be0db205fb823640db6a3c # Repack v2
      - 44e7c4de10ae50265753082e5dc76047 # Repack v3
      - b735f09d3c025cbb7d75a5d38325b73b # Remaster
      - 3bc5f395426614e155e585a2f056cdf1 # Season Pack
      # Streaming Services
      - d660701077794679fd59e8bdf4ce3a29 # AMZN
      - f67c9ca88f463a48346062e8ad07713f # ATVP
      - 77a7b25585c18af08f60b1547bb9b4fb # CC
      - 36b72f59f4ea20aad9316f475f2d9fbb # DCU
      - 89358767a60cc28783cdc3d0be9388a4 # DSNP
      - a880d6abc21e7c16884f3ae393f84179 # HMAX
      - 7a235133c87f7da4c8cccceca7e3c7a6 # HBO
      - f6cce30f1733d5c8194222a7507909bb # HULU
      - 0ac24a2a68a9700bcb7eeca8e5cd644c # iT
      - 81d1fbf600e2540cee87f3a23f9d3c1c # MAX
      - d34870697c9db575f17700212167be23 # NF
      - c67a75ae4a1715f2bb4d492755ba4195 # PMTP
      - 1656adc6d7bb2c8cca6acfb6592db421 # PCOK
      - ae58039e1319178e6be73caab5c42166 # SHO
      - 1efe8da11bfd74fbbcd4d8117ddb9213 # STAN
      - 9623c5c9cac8e939c1b9aedd32f640bf # SYFY
      - 9623c5c9cac8e939c1b9aedd32f640bf # UHD Streaming Boost
      - d2d299244a92b8a52d4921ce3897a256 # UHD Streaming Cut
      # Release Group Tiers
      - 9965a052eb87b0d10313b1cea89eb451 # Remux Tier 01
      - 8a1d0c3d7497e741736761a1da866a2e # Remux Tier 02
      - d6819cba26b1a6508138d25fb5e32293 # HD Bluray Tier 01
      - c2216b7b8aa545dc1ce8388c618f8d57 # HD Bluray Tier 02
      - e6258996055b9fbab7e9cb2f75819294 # WEB Tier 01
      - 58790d4e2fdcd9733aa7ae68ba2bb503 # WEB Tier 02
      - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
      - d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene
      # Unwanted
      - 85c61753df5da1fb2aab6f2a47426b09 # BR-DISK
      - 9c11cd3f07101cdba90a2d81cf0e56b4 # LQ
      - e2315f990da2e2cbfc9fa5b7a6fcfe48 # LQ (Release Title)
      - 9b64dff695c2115facf1b6ea59c9bd07 # x265 (no HDR/DV)
      - 83304f261cf516bb208c18c54c0adf97 # SDR (no WEBDL)
      - fbcb31d8dabd2a319072b84fc0b7249c # Extras
      - 15a05bc7c1a36e2b57fd628f8977e2fc # AV1
      - 32b367365729d530ca1c124a0b180c64 # Bad Dual Groups
      - 82d40da2bc6923f41e14394075dd4b03 # No-RlsGroup
      - e1a997ddb54e3ecbfe06341ad323c458 # Obfuscated
      - 06d66ab109d4d2eddb2794d21526d140 # Retags
      - b735f09d3c025cbb7d75a5d38325b73b # Upscaled
    assign_scores_to:
      - name: Remux
--- a/ansible/roles/recyclarr/files/includes/sonarr-encode-qualities.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-encode-qualities.yml
@@ -1,22 +0,0 @@
 quality_profiles:
  - name: Remux
    upgrade:
      allowed: true
      until_quality: 'Bluray-2160p Remux'
      until_score: 10000
    min_format_score: 0
    score_set: default
    quality_sort: top
    qualities:
      - name: 'Bluray-2160p Remux'
      - name: 'Bluray-1080p Remux'
      - name: Bluray-2160p
      - name: WEB 2160p
        qualities:
          - WEBDL-2160p
          - WEBRip-2160p
      - name: Bluray-1080p
      - name: WEB 1080p
        qualities:
          - WEBDL-1080p
          - WEBRip-1080p
--- a/ansible/roles/recyclarr/files/includes/sonarr-old-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-old-custom_formats.yml
@@ -51,6 +51,31 @@ custom_formats:
      - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
      - d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene
      # Audio Advanced
      - 0d7824bb924701997f874e7ff7d4844a # TrueHD Atmos
      - 9d00418ba386a083fbf4d58235fc37ef # DTS:X
      - b6fbafa7942952a13e17e2b1152b539a # Atmos (undefined)
      - 4232a509ce60c4e208d13825b7c06264 # DDPlus Atmos
      - 1808e4b9cee74e064dfae3f1db99dbfe # TrueHD
      - c429417a57ea8c41d57e6990a8b0033f # DTS-HD MA
      - 851bd64e04c9374c51102be3dd9ae4cc # FLAC
      - 30f70576671ca933adbdcfc736a69718 # PCM
      - cfa5fbd8f02a86fc55d8d223d06a5e1f # DTS-HD HRA
      - 63487786a8b01b7f20dd2bc90dd4a477 # DDPlus
      - c1a25cd67b5d2e08287c957b1eb903ec # DTS-ES
      - 5964f2a8b3be407d083498e4459d05d0 # DTS
      - a50b8a0c62274a7c38b09a9619ba9d86 # AAC
      - dbe00161b08a25ac6154c55f95e6318d # DD
      - 3e8b714263b26f486972ee1e0fe7606c # MP3
      - 28f6ef16d61e2d1adfce3156ed8257e3 # Opus
      - bd6dd5e043aa27ff4696a08d011c7d96 # 1.0 Mono
      - 834e534f103938853ffced4203b53e72 # 2.0 Stereo
      - 42cba7e38c7947a6d1d0a62580ee6d62 # 3.0 Sound
      - 1895195e84767de180653914ce207245 # 4.0 Sound
      - 3fbafa924f361e66fbc6187af82dfa85 # 5.1 Surround
      - 9fb6d778592c293467437593ef394bf1 # 6.1 Surround
      - 204c8c3e7315bb0ea81332774fa888d6 # 7.1 Surround
      # Unwanted
      - 85c61753df5da1fb2aab6f2a47426b09 # BR-DISK
      - 9c11cd3f07101cdba90a2d81cf0e56b4 # LQ
@@ -60,6 +85,7 @@ custom_formats:
      - fbcb31d8dabd2a319072b84fc0b7249c # Extras
      - 15a05bc7c1a36e2b57fd628f8977e2fc # AV1
      - 32b367365729d530ca1c124a0b180c64 # Bad Dual Groups
      - 82d40da2bc6923f41e14394075dd4b03 # No-RlsGroup
      - e1a997ddb54e3ecbfe06341ad323c458 # Obfuscated
      - 06d66ab109d4d2eddb2794d21526d140 # Retags
      - b735f09d3c025cbb7d75a5d38325b73b # Upscaled
--- a/ansible/roles/recyclarr/files/includes/sonarr-old_season_pack-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-old_season_pack-custom_formats.yml
@@ -51,6 +51,31 @@ custom_formats:
      - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
      - d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene
      # Audio Advanced
      - 0d7824bb924701997f874e7ff7d4844a # TrueHD Atmos
      - 9d00418ba386a083fbf4d58235fc37ef # DTS:X
      - b6fbafa7942952a13e17e2b1152b539a # Atmos (undefined)
      - 4232a509ce60c4e208d13825b7c06264 # DDPlus Atmos
      - 1808e4b9cee74e064dfae3f1db99dbfe # TrueHD
      - c429417a57ea8c41d57e6990a8b0033f # DTS-HD MA
      - 851bd64e04c9374c51102be3dd9ae4cc # FLAC
      - 30f70576671ca933adbdcfc736a69718 # PCM
      - cfa5fbd8f02a86fc55d8d223d06a5e1f # DTS-HD HRA
      - 63487786a8b01b7f20dd2bc90dd4a477 # DDPlus
      - c1a25cd67b5d2e08287c957b1eb903ec # DTS-ES
      - 5964f2a8b3be407d083498e4459d05d0 # DTS
      - a50b8a0c62274a7c38b09a9619ba9d86 # AAC
      - dbe00161b08a25ac6154c55f95e6318d # DD
      - 3e8b714263b26f486972ee1e0fe7606c # MP3
      - 28f6ef16d61e2d1adfce3156ed8257e3 # Opus
      - bd6dd5e043aa27ff4696a08d011c7d96 # 1.0 Mono
      - 834e534f103938853ffced4203b53e72 # 2.0 Stereo
      - 42cba7e38c7947a6d1d0a62580ee6d62 # 3.0 Sound
      - 1895195e84767de180653914ce207245 # 4.0 Sound
      - 3fbafa924f361e66fbc6187af82dfa85 # 5.1 Surround
      - 9fb6d778592c293467437593ef394bf1 # 6.1 Surround
      - 204c8c3e7315bb0ea81332774fa888d6 # 7.1 Surround
      # Unwanted
      - 85c61753df5da1fb2aab6f2a47426b09 # BR-DISK
      - 9c11cd3f07101cdba90a2d81cf0e56b4 # LQ
@@ -60,6 +85,7 @@ custom_formats:
      - fbcb31d8dabd2a319072b84fc0b7249c # Extras
      - 15a05bc7c1a36e2b57fd628f8977e2fc # AV1
      - 32b367365729d530ca1c124a0b180c64 # Bad Dual Groups
      - 82d40da2bc6923f41e14394075dd4b03 # No-RlsGroup
      - e1a997ddb54e3ecbfe06341ad323c458 # Obfuscated
      - 06d66ab109d4d2eddb2794d21526d140 # Retags
      - b735f09d3c025cbb7d75a5d38325b73b # Upscaled
--- a/ansible/roles/recyclarr/files/includes/sonarr-remux-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-remux-custom_formats.yml
@@ -51,6 +51,31 @@ custom_formats:
      - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
      - d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene
      # Audio Advanced
      - 0d7824bb924701997f874e7ff7d4844a # TrueHD Atmos
      - 9d00418ba386a083fbf4d58235fc37ef # DTS:X
      - b6fbafa7942952a13e17e2b1152b539a # Atmos (undefined)
      - 4232a509ce60c4e208d13825b7c06264 # DDPlus Atmos
      - 1808e4b9cee74e064dfae3f1db99dbfe # TrueHD
      - c429417a57ea8c41d57e6990a8b0033f # DTS-HD MA
      - 851bd64e04c9374c51102be3dd9ae4cc # FLAC
      - 30f70576671ca933adbdcfc736a69718 # PCM
      - cfa5fbd8f02a86fc55d8d223d06a5e1f # DTS-HD HRA
      - 63487786a8b01b7f20dd2bc90dd4a477 # DDPlus
      - c1a25cd67b5d2e08287c957b1eb903ec # DTS-ES
      - 5964f2a8b3be407d083498e4459d05d0 # DTS
      - a50b8a0c62274a7c38b09a9619ba9d86 # AAC
      - dbe00161b08a25ac6154c55f95e6318d # DD
      - 3e8b714263b26f486972ee1e0fe7606c # MP3
      - 28f6ef16d61e2d1adfce3156ed8257e3 # Opus
      - bd6dd5e043aa27ff4696a08d011c7d96 # 1.0 Mono
      - 834e534f103938853ffced4203b53e72 # 2.0 Stereo
      - 42cba7e38c7947a6d1d0a62580ee6d62 # 3.0 Sound
      - 1895195e84767de180653914ce207245 # 4.0 Sound
      - 3fbafa924f361e66fbc6187af82dfa85 # 5.1 Surround
      - 9fb6d778592c293467437593ef394bf1 # 6.1 Surround
      - 204c8c3e7315bb0ea81332774fa888d6 # 7.1 Surround
      # Unwanted
      - 85c61753df5da1fb2aab6f2a47426b09 # BR-DISK
      - 9c11cd3f07101cdba90a2d81cf0e56b4 # LQ
--- a/ansible/roles/recyclarr/files/includes/sonarr-remux_season_pack-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-remux_season_pack-custom_formats.yml
@@ -51,6 +51,31 @@ custom_formats:
      - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
      - d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene
      # Audio Advanced
      - 0d7824bb924701997f874e7ff7d4844a # TrueHD Atmos
      - 9d00418ba386a083fbf4d58235fc37ef # DTS:X
      - b6fbafa7942952a13e17e2b1152b539a # Atmos (undefined)
      - 4232a509ce60c4e208d13825b7c06264 # DDPlus Atmos
      - 1808e4b9cee74e064dfae3f1db99dbfe # TrueHD
      - c429417a57ea8c41d57e6990a8b0033f # DTS-HD MA
      - 851bd64e04c9374c51102be3dd9ae4cc # FLAC
      - 30f70576671ca933adbdcfc736a69718 # PCM
      - cfa5fbd8f02a86fc55d8d223d06a5e1f # DTS-HD HRA
      - 63487786a8b01b7f20dd2bc90dd4a477 # DDPlus
      - c1a25cd67b5d2e08287c957b1eb903ec # DTS-ES
      - 5964f2a8b3be407d083498e4459d05d0 # DTS
      - a50b8a0c62274a7c38b09a9619ba9d86 # AAC
      - dbe00161b08a25ac6154c55f95e6318d # DD
      - 3e8b714263b26f486972ee1e0fe7606c # MP3
      - 28f6ef16d61e2d1adfce3156ed8257e3 # Opus
      - bd6dd5e043aa27ff4696a08d011c7d96 # 1.0 Mono
      - 834e534f103938853ffced4203b53e72 # 2.0 Stereo
      - 42cba7e38c7947a6d1d0a62580ee6d62 # 3.0 Sound
      - 1895195e84767de180653914ce207245 # 4.0 Sound
      - 3fbafa924f361e66fbc6187af82dfa85 # 5.1 Surround
      - 9fb6d778592c293467437593ef394bf1 # 6.1 Surround
      - 204c8c3e7315bb0ea81332774fa888d6 # 7.1 Surround
      # Unwanted
      - 85c61753df5da1fb2aab6f2a47426b09 # BR-DISK
      - 9c11cd3f07101cdba90a2d81cf0e56b4 # LQ
--- a/ansible/roles/recyclarr/files/includes/sonarr-web-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-web-custom_formats.yml
@@ -51,6 +51,31 @@ custom_formats:
      - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
      - d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene
      # Audio Advanced
      - 0d7824bb924701997f874e7ff7d4844a # TrueHD Atmos
      - 9d00418ba386a083fbf4d58235fc37ef # DTS:X
      - b6fbafa7942952a13e17e2b1152b539a # Atmos (undefined)
      - 4232a509ce60c4e208d13825b7c06264 # DDPlus Atmos
      - 1808e4b9cee74e064dfae3f1db99dbfe # TrueHD
      - c429417a57ea8c41d57e6990a8b0033f # DTS-HD MA
      - 851bd64e04c9374c51102be3dd9ae4cc # FLAC
      - 30f70576671ca933adbdcfc736a69718 # PCM
      - cfa5fbd8f02a86fc55d8d223d06a5e1f # DTS-HD HRA
      - 63487786a8b01b7f20dd2bc90dd4a477 # DDPlus
      - c1a25cd67b5d2e08287c957b1eb903ec # DTS-ES
      - 5964f2a8b3be407d083498e4459d05d0 # DTS
      - a50b8a0c62274a7c38b09a9619ba9d86 # AAC
      - dbe00161b08a25ac6154c55f95e6318d # DD
      - 3e8b714263b26f486972ee1e0fe7606c # MP3
      - 28f6ef16d61e2d1adfce3156ed8257e3 # Opus
      - bd6dd5e043aa27ff4696a08d011c7d96 # 1.0 Mono
      - 834e534f103938853ffced4203b53e72 # 2.0 Stereo
      - 42cba7e38c7947a6d1d0a62580ee6d62 # 3.0 Sound
      - 1895195e84767de180653914ce207245 # 4.0 Sound
      - 3fbafa924f361e66fbc6187af82dfa85 # 5.1 Surround
      - 9fb6d778592c293467437593ef394bf1 # 6.1 Surround
      - 204c8c3e7315bb0ea81332774fa888d6 # 7.1 Surround
      # Unwanted
      - 85c61753df5da1fb2aab6f2a47426b09 # BR-DISK
      - 9c11cd3f07101cdba90a2d81cf0e56b4 # LQ
--- a/ansible/roles/recyclarr/files/includes/sonarr-web_season_pack-custom_formats.yml
+++ b/ansible/roles/recyclarr/files/includes/sonarr-web_season_pack-custom_formats.yml
@@ -51,6 +51,31 @@ custom_formats:
      - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
      - d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene
      # Audio Advanced
      - 0d7824bb924701997f874e7ff7d4844a # TrueHD Atmos
      - 9d00418ba386a083fbf4d58235fc37ef # DTS:X
      - b6fbafa7942952a13e17e2b1152b539a # Atmos (undefined)
      - 4232a509ce60c4e208d13825b7c06264 # DDPlus Atmos
      - 1808e4b9cee74e064dfae3f1db99dbfe # TrueHD
      - c429417a57ea8c41d57e6990a8b0033f # DTS-HD MA
      - 851bd64e04c9374c51102be3dd9ae4cc # FLAC
      - 30f70576671ca933adbdcfc736a69718 # PCM
      - cfa5fbd8f02a86fc55d8d223d06a5e1f # DTS-HD HRA
      - 63487786a8b01b7f20dd2bc90dd4a477 # DDPlus
      - c1a25cd67b5d2e08287c957b1eb903ec # DTS-ES
      - 5964f2a8b3be407d083498e4459d05d0 # DTS
      - a50b8a0c62274a7c38b09a9619ba9d86 # AAC
      - dbe00161b08a25ac6154c55f95e6318d # DD
      - 3e8b714263b26f486972ee1e0fe7606c # MP3
      - 28f6ef16d61e2d1adfce3156ed8257e3 # Opus
      - bd6dd5e043aa27ff4696a08d011c7d96 # 1.0 Mono
      - 834e534f103938853ffced4203b53e72 # 2.0 Stereo
      - 42cba7e38c7947a6d1d0a62580ee6d62 # 3.0 Sound
      - 1895195e84767de180653914ce207245 # 4.0 Sound
      - 3fbafa924f361e66fbc6187af82dfa85 # 5.1 Surround
      - 9fb6d778592c293467437593ef394bf1 # 6.1 Surround
      - 204c8c3e7315bb0ea81332774fa888d6 # 7.1 Surround
      # Unwanted
      - 85c61753df5da1fb2aab6f2a47426b09 # BR-DISK
      - 9c11cd3f07101cdba90a2d81cf0e56b4 # LQ
--- a/ansible/roles/renovate/tasks/main.yml
+++ b/ansible/roles/renovate/tasks/main.yml
@@ -0,0 +1,29 @@
 - name: Create install directory
  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Copy docker-compose file to destination
  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
    validate: docker compose -f %s config
  become: true
 - name: Copy config.js to destination
  template:
    src: config.js
    dest: "{{ install_directory }}/renovate/config.js"
    mode: "{{ docker_compose_file_mask }}"
  become: true
 - name: Start docker container
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    pull: always
    remove_orphans: yes
--- a/ansible/roles/renovate/templates/config.js
+++ b/ansible/roles/renovate/templates/config.js
@@ -0,0 +1,14 @@
 module.exports = {
  endpoint: "git.{{ personal_domain }}/api/v2",
  token: '{{ renovate_gitea_token }}',
  platform: 'gitea',
  dryRun: true,
  autodiscover: true,
  onboarding: false,
  redisUrl: 'redis://redis',
  repositoryCache: 'enabled',
  persistRepoData: true,
  binarySource: "docker",
  dockerUser: "{{ primary_uid }}",
  baseDir: "{{ data_dir }}/renovate",
 };
--- a/ansible/roles/renovate/templates/docker-compose.yml
+++ b/ansible/roles/renovate/templates/docker-compose.yml
@@ -0,0 +1,26 @@
 networks:
  docker-socket-proxy:
    external: true
 services:
  renovate:
    container_name: renovate
    image: renovate/renovate:slim
    restart: unless-stopped
    depends_on:
      - redis
    networks:
      - docker-socket-proxy
    user: "{{ service_user.uid }}:{{ service_user.group }}"
    environment:
      - TZ={{ timezone }}
      - DOCKER_HOST=tcp://docker_socket_proxy:2375
      - "RENOVATE_TOKEN={{ renovate_gitea_token }}"
    volumes:
      - "{{ data_dir }}/renovate:/{{ data_dir }}/renovate" # These must be the same
      - ./config.js:/usr/src/app/config.js:ro
  redis:
    image: redis:7-alpine
    restart: unless-stopped
--- a/ansible/roles/renovate/vars/main.yml
+++ b/ansible/roles/renovate/vars/main.yml
@@ -0,0 +1,8 @@
 renovate_gitea_token: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  61383064643566343633633962376238346137633933643634353564316266656338333665613235
  3230613339633561313064393163393537623763393336300a383332626538376335613763313439
  64326566393761666266303438313435346535626231376661653863663664623839663431363632
  6434306532613065650a636562663030363162396435346262353839653736343530393365633331
  65366534333234353239376566326234666566303038396661343137316265306433313235366530
  6164656437346131376165613136363161646437343038393266
--- a/ansible/roles/sabnzbd/tasks/main.yml
+++ b/ansible/roles/sabnzbd/tasks/main.yml
@@ -0,0 +1,31 @@
 - name: Create service user
  user:
    name: "{{ role_name }}"
    groups: "{{ media_group }}"
    append: yes
    system: true
  register: service_user
  become: true
 - name: Create install directory
  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Copy docker-compose file to destination
  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
    validate: docker compose -f %s config
  become: true
 - name: Start docker containers
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    pull: always
    remove_orphans: yes
--- a/ansible/roles/sabnzbd/templates/docker-compose.yml
+++ b/ansible/roles/sabnzbd/templates/docker-compose.yml
@@ -0,0 +1,25 @@
 networks:
  traefik:
    external: true
 services:
  sabnzbd:
    container_name: sabnzbd
    image: lscr.io/linuxserver/sabnzbd:latest
    restart: unless-stopped
    networks:
      - traefik
    environment:
      - "PUID={{ service_user.uid }}"
      - "PGID={{ media_gid }}"
      - "TZ={{ timezone }}"
      - "UMASK=002"
    volumes:
      - "{{ data_dir }}/{{ role_name }}:/config"
      - "{{ media_storage_mnt }}/data/usenet:/data/usenet"
    labels:
      traefik.enable: true
      traefik.http.routers.{{ role_name }}.rule: "Host(`{{ role_name }}.local.{{ personal_domain }}`)"
      traefik.http.routers.{{ role_name }}.middlewares: lan-whitelist@file
      traefik.http.services.sabnzbd.loadbalancer.server.port: 8080
--- a/ansible/roles/searxng/handlers/main.yml
+++ b/ansible/roles/searxng/handlers/main.yml
@@ -1,5 +1,5 @@
 - name: restart searxng
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
-    state: restarted
+    restarted: true
--- a/ansible/roles/searxng/templates/settings.yml
+++ b/ansible/roles/searxng/templates/settings.yml
@@ -17,7 +17,7 @@ search:
  safe_search: 0
  autocomplete: "qwant"
  autocomplete_min: 4
-  default_lang: "en-US"
+  default_lang: "auto"
  ban_time_on_fail: 5
  max_ban_time_on_fail: 120
  suspended_times:
@@ -92,7 +92,7 @@ ui:
  # cache_url: "https://webcache.googleusercontent.com/search?q=cache:"
  # Default interface locale - leave blank to detect from browser information or
  # use codes from the 'locales' config section
-  default_locale: "en"
+  default_locale: ""
  # Open result links in a new tab by default
  # results_on_new_tab: false
  theme_args:
@@ -292,7 +292,7 @@ engines:
  - name: arch linux wiki
    engine: archlinux
-    shortcut: aw
+    shortcut: al
  - name: archive is
    engine: xpath
--- a/ansible/roles/synapse/handlers/main.yml
+++ b/ansible/roles/synapse/handlers/main.yml
@@ -0,0 +1,4 @@
 - name: restart synapse
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    restarted: true
--- a/ansible/roles/synapse/tasks/main.yml
+++ b/ansible/roles/synapse/tasks/main.yml
@@ -0,0 +1,77 @@
 - name: Create service user
  user:
    name: "{{ role_name }}"
    system: true
  register: service_user
  become: true
 - name: Create install directory
  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Copy docker-compose file to destination
  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
    validate: docker compose -f %s config
  become: true
 - name: Copy homeserver.yaml to destination
  template:
    src: homeserver.yaml
    dest: "{{ install_directory }}/synapse/homeserver.yaml"
    owner: "{{ service_user.uid }}"
    mode: "{{ docker_compose_file_mask }}"
  notify: restart synapse
  become: true
 - name: Create config directory and set synapse user to owner
  file:
    path: "{{ data_dir }}/synapse"
    state: directory
    owner: "{{ service_user.uid }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Create nginx config directory
  file:
    path: "{{ data_dir }}/nginx/synapse/www/.well-known/matrix/"
    state: directory
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Install nginx config file
  template:
    src: nginx/matrix.conf
    dest: "{{ data_dir }}/nginx/synapse/matrix.conf"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
  become: true
 - name: Install well known client file
  template:
    src: nginx/client.json
    dest: "{{ data_dir }}/nginx/synapse/www/.well-known/matrix/client"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
  become: true
 - name: Install well known server file
  template:
    src: nginx/server.json
    dest: "{{ data_dir }}/nginx/synapse/www/.well-known/matrix/server"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
  become: true
 - name: Start docker container
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    pull: always
    remove_orphans: yes
--- a/ansible/roles/synapse/templates/docker-compose.yml
+++ b/ansible/roles/synapse/templates/docker-compose.yml
@@ -0,0 +1,67 @@
 networks:
  traefik:
    external: true
 services:
  synapse:
    container_name: "synapse"
    image: matrixdotorg/synapse
    restart: unless-stopped
    depends_on:
      - db
    networks:
      - traefik
      - default
    environment:
      - "UID={{ service_user.uid }}"
      - "GID={{ service_user.uid }}"
      - "TZ={{ timezone }}"
    volumes:
      - "{{ data_dir }}/{{ role_name }}:/data"
      - ./homeserver.yaml:/data/homeserver.yaml
    labels:
      traefik.enable: true
      traefik.http.routers.synapse.rule: "Host(`matrix.{{ personal_domain }}`) || (Host(`{{ personal_domain }}`) && PathPrefix(`/_matrix/`))"
  db:
    image: postgres:14-alpine
    restart: unless-stopped
    networks:
      - default
    environment:
      - POSTGRES_USER=synapse
      - POSTGRES_PASSWORD=synapse
      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
    volumes:
      - "{{ data_dir }}/postgres/synapse:/var/lib/postgresql/data"
  redis:
    networks:
      - default
    image: redis:7-alpine
    restart: unless-stopped
    volumes:
      - "{{ data_dir }}/redis/synapse:/data"
  admin:
    image: awesometechnologies/synapse-admin:latest
    restart: unless-stopped
    networks:
      - traefik
    labels:
      traefik.enable: true
      traefik.http.routers.synapse-admin.rule: "Host(`synapse-admin.local.{{ personal_domain }}`)"
      traefik.http.routers.synapse-admin.middlewares: lan-whitelist@file
  nginx:
    image: nginx:latest
    restart: unless-stopped
    networks:
      - traefik
    volumes:
      - "{{ data_dir }}/nginx/synapse/matrix.conf:/etc/nginx/conf.d/matrix.conf"
      - "{{ data_dir }}/nginx/synapse/www:/var/www"
    labels:
      traefik.enable: true
      traefik.http.routers.matrix.rule: "Host(`{{ personal_domain }}`)"
--- a/ansible/roles/synapse/templates/homeserver.yaml
+++ b/ansible/roles/synapse/templates/homeserver.yaml
@@ -0,0 +1,42 @@
 server_name: "{{ personal_domain }}"
 pid_file: /data/homeserver.pid
 public_baseurl: "https://matrix.{{ personal_domain }}"
 ip_range_whitelist:
  - 10.0.0.0/24
 acme:
  enabled: false
 database:
  name: psycopg2
  args:
    user: synapse
    password: synapse
    database: synapse
    host: db
 redis:
  enabled: true
  host: redis
  port: 6379
 listeners:
  - port: 8008
    tls: false
    type: http
    x_forwarded: true
    resources:
      - names: [client, federation]
        compress: false
 registration_shared_secret: "{{ synapse_registration_shared_secret }}"
 report_stats: true
 media_store_path: /data/media_store
 uploads_path: /data/uploads
 trusted_key_servers:
  - server_name: matrix.org
 suppress_key_server_warning: true
--- a/ansible/roles/synapse/templates/nginx/client.json
+++ b/ansible/roles/synapse/templates/nginx/client.json
@@ -0,0 +1,5 @@
 {
  "m.homeserver": {
    "base_url": "https://matrix.{{ personal_domain }}"
  }
 }
--- a/ansible/roles/synapse/templates/nginx/matrix.conf
+++ b/ansible/roles/synapse/templates/nginx/matrix.conf
@@ -0,0 +1,17 @@
 server {
  listen         80 default_server;
  server_name    {{ personal_domain }};
 # Traefik -> nginx -> synapse
 location /_matrix {
    proxy_pass http://synapse:8008;
    proxy_set_header X-Forwarded-For $remote_addr;
    client_max_body_size 128m;
  }
  location /.well-known/matrix/ {
    root /var/www/;
    default_type application/json;
    add_header Access-Control-Allow-Origin  *;
  }
 }
--- a/ansible/roles/synapse/templates/nginx/server.json
+++ b/ansible/roles/synapse/templates/nginx/server.json
@@ -0,0 +1,4 @@
 {
  "m.server": "matrix.{{ personal_domain }}:443"
 }
--- a/ansible/roles/synapse/vars/main.yml
+++ b/ansible/roles/synapse/vars/main.yml
@@ -0,0 +1,13 @@
 synapse_registration_shared_secret: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  33393864663831636636616361333635343366613633353234363761303235333361376230333863
  6432326363656232323531636139356663623734313161350a653262636439363334353266393563
  61646265303161396630653839346266336335613030623237363537663839306331333064626436
  6262623236353061380a306335356365633164313639633031353663373633306539343464376639
  37396535386631363866343030653835636437303230333430303033616364383734626563336265
  37643164393334316534386266613930383136663934613233313939316533643164623163626334
  31396163383132333365383364323866626264323234353939653236386231636536666261616534
  37353930663863343533636536356363373432383437643965663636323234303730623434386264
  31653131653964376164623039616166376162323235363164303163353363643733643761353264
  63393632366139313538656566393239393465653536356131333430323165356263323839666636
  353466373866616536383761343036666561
--- a/ansible/roles/teamarr/templates/docker-compose.yml
+++ b/ansible/roles/teamarr/templates/docker-compose.yml
@@ -1,20 +0,0 @@
 networks:
  traefik:
    external: true
 services:
  teamarr:
    container_name: teamarr
    image: ghcr.io/egyptiangio/teamarr:latest
    restart: unless-stopped
    networks:
      - traefik
    environment:
      - "TZ={{ timezone }}"
    volumes:
      - "{{ data_dir }}/teamarr:/app/data"
    labels:
      traefik.enable: true
      traefik.http.routers.teamarr.rule: "Host(`teamarr.local.{{ personal_domain }}`)"
      traefik.http.routers.teamarr.middlewares: lan-whitelist@file
      traefik.http.services.teamarr.loadbalancer.server.port: 9195
--- a/ansible/roles/traefik/handlers/main.yml
+++ b/ansible/roles/traefik/handlers/main.yml
@@ -1,4 +1,4 @@
 - name: restart traefik
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/traefik"
-    state: restarted
+    restarted: true
--- a/ansible/roles/traefik/templates/conf/file-provider-adguard.yml
+++ b/ansible/roles/traefik/templates/conf/file-provider-adguard.yml
@@ -0,0 +1,13 @@
 http:
  routers:
    router-adguard:
      rule: "Host(`adguard.local.{{ personal_domain }}`)"
      service: service-adguard
      middlewares:
        - lan-whitelist@file
  services:
    service-adguard:
      loadBalancer:
        servers:
          - url: http://10.0.0.1:81
--- a/ansible/roles/traefik/templates/conf/file-provider-ezbeq.yml
+++ b/ansible/roles/traefik/templates/conf/file-provider-ezbeq.yml
@@ -0,0 +1,13 @@
 http:
  routers:
    router-ezbeq:
      rule: "Host(`ezbeq.local.{{ personal_domain }}`)"
      service: service-ezbeq
      middlewares:
        - lan-whitelist@file
  services:
    service-ezbeq:
      loadBalancer:
        servers:
          - url: http://10.0.0.84:8080
--- a/ansible/roles/traefik/templates/conf/file-provider-homeassistant.yml
+++ b/ansible/roles/traefik/templates/conf/file-provider-homeassistant.yml
@@ -8,4 +8,4 @@ http:
    service-homeassistant:
      loadBalancer:
        servers:
-          - url: http://haos:8123
+          - url: http://10.0.0.27:8123
--- a/ansible/roles/traefik/templates/conf/file-provider-immich.yml
+++ b/ansible/roles/traefik/templates/conf/file-provider-immich.yml
@@ -1,11 +0,0 @@
 http:
  routers:
    router-immich:
      rule: "Host(`photos.{{ personal_domain }}`)"
      service: service-immich
  services:
    service-immich:
      loadBalancer:
        servers:
          - url: http://immich:8080
--- a/ansible/roles/traefik/templates/conf/file-provider-jellyfin.yml
+++ b/ansible/roles/traefik/templates/conf/file-provider-jellyfin.yml
@@ -8,4 +8,4 @@ http:
    service-jellyfin:
      loadBalancer:
        servers:
-          - url: http://jellyfin:8096
+          - url: http://10.0.0.30:8096
--- a/ansible/roles/traefik/templates/conf/file-provider-pbs.yml
+++ b/ansible/roles/traefik/templates/conf/file-provider-pbs.yml
@@ -1,13 +0,0 @@
 http:
  routers:
    router-pbs:
      rule: "Host(`pbs.local.{{ personal_domain }}`)"
      service: service-pbs
      middlewares:
        - lan-whitelist@file
  services:
    service-pbs:
      loadBalancer:
        servers:
          - url: https://10.0.0.28:8007
--- a/ansible/roles/traefik/templates/conf/file-provider-plex.yml
+++ b/ansible/roles/traefik/templates/conf/file-provider-plex.yml
@@ -8,4 +8,4 @@ http:
    service-plex:
      loadBalancer:
        servers:
-          - url: https://plex:32400
+          - url: https://10.0.0.31:32400
--- a/ansible/roles/traefik/templates/conf/file-provider-proxmox.yml
+++ b/ansible/roles/traefik/templates/conf/file-provider-proxmox.yml
@@ -10,4 +10,4 @@ http:
    service-proxmox:
      loadBalancer:
        servers:
-          - url: https://pve:8006
+          - url: https://10.0.0.2:8006
--- a/ansible/roles/traefik/templates/conf/file-provider-qui.yml
+++ b/ansible/roles/traefik/templates/conf/file-provider-qui.yml
@@ -1,11 +0,0 @@
 http:
  routers:
    router-qui:
      rule: "Host(`qui.local.{{ personal_domain }}`)"
      service: service-qui
  services:
    service-qui:
      loadBalancer:
        servers:
          - url: http://arch-web:7476
--- a/ansible/roles/traefik/templates/conf/file-provider-sws.yml
+++ b/ansible/roles/traefik/templates/conf/file-provider-sws.yml
@@ -1,11 +0,0 @@
 http:
  routers:
    router-sws:
      rule: "Host(`mjwilson.org`)"
      service: service-sws
  services:
    service-sws:
      loadBalancer:
        servers:
          - url: http://arch-web:80
--- a/ansible/roles/traefik/templates/conf/middlewares.yml
+++ b/ansible/roles/traefik/templates/conf/middlewares.yml
@@ -4,10 +4,8 @@ http:
      ipWhitelist:
        sourceRange:
          - 10.0.0.0/24
-          - 10.0.2.0/24
+          - 10.67.115.0/24
          - 10.10.10.0/24
          - 172.16.0.0/12
          - 172.18.0.0/12
    secure-headers:
      headers:
@@ -17,4 +15,4 @@ http:
        stsPreload: true
        customResponseHeaders:
          Permissions-Policy: interest-cohort() # Opts out of Google's FLoC network. See https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
-          X-Robots-Tag: noindex,nofollow
+          X-Robots-Tag: none
--- a/ansible/roles/traefik/templates/docker-compose.yml
+++ b/ansible/roles/traefik/templates/docker-compose.yml
@@ -1,3 +1,4 @@
 networks:
  traefik:
    external: true
@@ -7,7 +8,7 @@ networks:
 services:
  traefik:
    container_name: traefik
-    image: traefik:v3.1
+    image: traefik:v2.9
    depends_on:
      docker_socket_proxy:
        condition: service_healthy
--- a/ansible/roles/unifi-controller/tasks/main.yml
+++ b/ansible/roles/unifi-controller/tasks/main.yml
@@ -0,0 +1,29 @@
 - name: Create service user
  user:
    name: "{{ role_name }}"
    system: true
  register: service_user
  become: true
 - name: Create install directory
  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Copy docker-compose file to destination
  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
    validate: docker compose -f %s config
  become: true
 - name: Start docker container
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    pull: always
    remove_orphans: yes
--- a/ansible/roles/unifi-controller/templates/docker-compose.yml
+++ b/ansible/roles/unifi-controller/templates/docker-compose.yml
@@ -0,0 +1,29 @@
 networks:
  traefik:
    external: true
 services:
  unifi-controller:
    container_name: unifi-controller
    image: lscr.io/linuxserver/unifi-controller:latest
    restart: unless-stopped
    networks:
      - traefik
    ports:
      - 8443:8443 # WebUI
      - 3478:3478/udp # STUN
      - 10001:10001/udp # AP discovery
      - 8080:8080 # Device communication
    environment:
      - "PUID={{ service_user.uid }}"
      - "PGID={{ service_user.uid }}"
      - "TZ={{ timezone }}"
    volumes:
      - "{{ data_dir }}/{{ role_name }}:/config"
    labels:
      traefik.enable: true
      traefik.http.routers.unifi.rule: "Host(`unifi.local.{{ personal_domain }}`)"
      traefik.http.routers.unifi.middlewares: lan-whitelist@file
      traefik.http.services.unifi.loadbalancer.server.scheme: https
      traefik.http.services.unifi.loadbalancer.server.port: 8443
--- a/ansible/roles/wger/files/nginx.conf
+++ b/ansible/roles/wger/files/nginx.conf
@@ -0,0 +1,28 @@
 upstream wger {
    server web:8000;
 }
 server {
    listen 80;
    location / {
        proxy_pass http://wger;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_redirect off;
    }
    location /static/ {
        alias /wger/static/;
    }
    location /media/ {
        alias /wger/media/;
    }
    # Increase max body size to allow for video uploads
    client_max_body_size 100M;
 }
--- a/ansible/roles/wger/files/redis.conf
+++ b/ansible/roles/wger/files/redis.conf
--- a/ansible/roles/wger/tasks/main.yml
+++ b/ansible/roles/wger/tasks/main.yml
@@ -0,0 +1,60 @@
 - name: Create install directory
  file:
    path: "{{ install_directory }}/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Create database data directory
  file:
    path: "{{ data_dir }}/postgres/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Create redis data directory
  file:
    path: "{{ data_dir }}/redis/{{ role_name }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  become: true
 - name: Create data and config directories
  file:
    path: "{{ data_dir }}/{{ role_name }}/{{ item }}"
    state: directory
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_directory_mask }}"
  loop:
    - config
    - static
    - media
    - celery-beat
 - name: Install wger config file (templatized)
  template:
    src: prod.env
    dest: "{{ data_dir }}/{{ role_name }}/config/prod.env"
 - name: Install config files
  copy:
    src: ./
    dest: "{{ data_dir }}/{{ role_name }}/config"
 - name: Copy docker-compose file to destination
  template:
    src: docker-compose.yml
    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
    owner: "{{ docker_user }}"
    mode: "{{ docker_compose_file_mask }}"
    validate: docker compose -f %s config
  become: true
 - name: Start docker container
  community.docker.docker_compose_v2:
    project_src: "{{ install_directory }}/{{ role_name }}"
    pull: always
    remove_orphans: yes
--- a/ansible/roles/wger/templates/docker-compose.yml
+++ b/ansible/roles/wger/templates/docker-compose.yml
@@ -0,0 +1,132 @@
 networks:
  traefik:
    external: true
 services:
  web:
    image: wger/server:latest
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_healthy
    networks:
      - default
    env_file:
      - {{ data_dir }}/{{ role_name }}/config/prod.env
    volumes:
      - {{ data_dir }}/{{ role_name }}/static:/home/wger/static
      - {{ data_dir }}/{{ role_name }}/media:/home/wger/media
    expose:
      - 8000
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:8000
      interval: 10s
      timeout: 5s
      start_period: 300s
      retries: 5
    restart: unless-stopped
  nginx:
    image: nginx:stable
    depends_on:
      - web
    networks:
      - traefik
      - default
    volumes:
      - {{ data_dir }}/{{ role_name }}/config/nginx.conf:/etc/nginx/conf.d/default.conf
      - {{ data_dir }}/{{ role_name }}/static:/wger/static:ro
      - {{ data_dir }}/{{ role_name }}/media:/wger/media:ro
    healthcheck:
      test: service nginx status
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    restart: unless-stopped
    labels:
      traefik.enable: true
      traefik.http.routers.wger.rule: "Host(`wger.{{ personal_domain }}`)"
      #traefik.http.services.wger.loadbalancer.server.port: 8000
      #traefik.http.routers.wger.middlewares: lan-whitelist@file
  db:
    image: postgres:15-alpine
    environment:
      - POSTGRES_USER=wger
      - POSTGRES_PASSWORD=wger
      - POSTGRES_DB=wger
      - "TZ={{ timezone }}"
    networks:
      - default
    volumes:
      - {{ data_dir }}/postgres/{{ role_name }}:/var/lib/postgresql/data/
    expose:
      - 5432
    healthcheck:
      test: pg_isready -U wger
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    restart: unless-stopped
  cache:
    image: redis
    expose:
      - 6379
    networks:
      - default
    volumes:
      - {{ data_dir }}/{{ role_name }}/config/redis.conf:/usr/local/etc/redis/redis.conf
      - {{ data_dir }}/redis/{{ role_name }}/data:/data
    command: [ "redis-server", "/usr/local/etc/redis/redis.conf"]
    healthcheck:
      test: redis-cli ping
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    restart: unless-stopped
    # You probably want to limit the memory usage of the cache, otherwise it might
    # hog all the available memory. Remove or change according to your needs.
    #mem_limit: 2gb
  celery_worker:
    image: wger/server:latest
    command: /start-worker
    networks:
      - default
    env_file:
      - {{ data_dir }}/{{ role_name }}/config/prod.env
    volumes:
      - {{ data_dir }}/{{ role_name }}/media:/home/wger/media
    depends_on:
      web:
        condition: service_healthy
    healthcheck:
      test: celery -A wger inspect ping
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
  celery_beat:
    image: wger/server:latest
    command: /start-beat
    networks:
      - default
    volumes:
      - {{ data_dir }}/{{ role_name }}/celery-beat:/home/wger/beat/
    env_file:
      - {{ data_dir }}/{{ role_name }}/config/prod.env
    depends_on:
      celery_worker:
        condition: service_healthy
  # Heads up, if you remove these volumes and use folders directly you need to chown them
  # to the UID and GID 1000 even if it doesn't exist on your system. Also, they should
  # be readable by everyone.
--- a/ansible/roles/wger/templates/prod.env
+++ b/ansible/roles/wger/templates/prod.env
@@ -0,0 +1,172 @@
 SECRET_KEY="{{ DJANGO_SECRET }}"
 SIGNING_KEY="{{ JWT_SECRET }}"
 TIME_ZONE=America/New_York
 TZ=America/New_York
 CSRF_TRUSTED_ORIGINS="https://wger.{{ personal_domain }}"
 X_FORWARDED_PROTO_HEADER_SET=True
 MEDIA_URL="https://wger.{{ personal_domain }}/media/"
 STATIC_URL="https://wger.{{ personal_domain }}/static/"
 #
 # These settings usually don't need changing
 #
 #
 # Application
 WGER_INSTANCE=https://wger.de # Wger instance from which to sync exercises, images, etc.
 ALLOW_REGISTRATION=True
 ALLOW_GUEST_USERS=True
 ALLOW_UPLOAD_VIDEOS=True
 # Users won't be able to contribute to exercises if their account age is
 # lower than this amount in days.
 MIN_ACCOUNT_AGE_TO_TRUST=21
 # Synchronzing exercises
 # It is recommended to keep the local database synchronized with the wger
 # instance specified in WGER_INSTANCE since there are new added or translations
 # improved. For this you have different possibilities:
 # - Sync exercises on startup:
 # SYNC_EXERCISES_ON_STARTUP=True
 # DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP=True
 # - Sync them in the background with celery. This will setup a job that will run
 #   once a week at a random time (this time is selected once when starting the server)
 SYNC_EXERCISES_CELERY=True
 SYNC_EXERCISE_IMAGES_CELERY=True
 SYNC_EXERCISE_VIDEOS_CELERY=True
 # - Manually trigger the process as needed:
 #   docker compose exec web python3 manage.py sync-exercises
 #   docker compose exec web python3 manage.py download-exercise-images
 #   docker compose exec web python3 manage.py download-exercise-videos
 # Synchronzing ingredients
 # You can also syncronize the ingredients from a remote wger instance, and have
 # basically the same options as for the ingredients:
 # - Sync them in the background with celery. This will setup a job that will run
 #   once a week at a random time (this time is selected once when starting the server)
 SYNC_INGREDIENTS_CELERY=True
 # - Manually trigger the process as needed:
 #   docker compose exec web python3 manage.py sync-ingredients
 # This option controls whether to download ingredients and their images from the
 # configured wger instance. When scanning products with the barcode scanner, it is
 # possible to dynamically fetch the ingredient if it is not known in the local database.
 # Possible values: WGER or None. Requires USE_CELERY to be set to true.
 DOWNLOAD_INGREDIENTS_FROM=WGER
 # Whether celery is configured and should be used. Can be left to true with
 # this setup but can be deactivated if you are using the app in some other way
 USE_CELERY=True
 #
 # Celery
 CELERY_BROKER=redis://cache:6379/2
 CELERY_BACKEND=redis://cache:6379/2
 CELERY_FLOWER_PASSWORD=adminadmin
 #
 # Database
 DJANGO_DB_ENGINE=django.db.backends.postgresql
 DJANGO_DB_DATABASE=wger
 DJANGO_DB_USER=wger
 DJANGO_DB_PASSWORD=wger
 DJANGO_DB_HOST=db
 DJANGO_DB_PORT=5432
 DJANGO_PERFORM_MIGRATIONS=True # Perform any new database migrations on startup
 #
 # Cache
 DJANGO_CACHE_BACKEND=django_redis.cache.RedisCache
 DJANGO_CACHE_LOCATION=redis://cache:6379/1
 DJANGO_CACHE_TIMEOUT=1296000 # in seconds - 60*60*24*15, 15 Days
 DJANGO_CACHE_CLIENT_CLASS=django_redis.client.DefaultClient
 # DJANGO_CACHE_CLIENT_PASSWORD=abcde... # Only if you changed the redis config
 # DJANGO_CACHE_CLIENT_SSL_KEYFILE=/path/to/ssl_keyfile # Path to an ssl private key.
 # DJANGO_CACHE_CLIENT_SSL_CERTFILE=/path/to/ssl_certfile # Path to an ssl certificate.
 # DJANGO_CACHE_CLIENT_SSL_CERT_REQS=<none | optional | required> # The string value for the verify_mode.
 # DJANGO_CACHE_CLIENT_SSL_CHECK_HOSTNAME=False # If set, match the hostname during the SSL handshake.
 #
 # Brute force login attacks
 # https://django-axes.readthedocs.io/en/latest/index.html
 AXES_ENABLED=True
 AXES_FAILURE_LIMIT=10
 AXES_COOLOFF_TIME=30 # in minutes
 AXES_HANDLER=axes.handlers.cache.AxesCacheHandler
 AXES_LOCKOUT_PARAMETERS=ip_address
 AXES_IPWARE_PROXY_COUNT=1
 AXES_IPWARE_META_PRECEDENCE_ORDER=HTTP_X_FORWARDED_FOR,REMOTE_ADDR
 #
 # Others
 DJANGO_DEBUG=False
 WGER_USE_GUNICORN=True
 EXERCISE_CACHE_TTL=18000 # in seconds - 5*60*60, 5 hours
 SITE_URL=http://localhost
 #
 # JWT auth
 ACCESS_TOKEN_LIFETIME=10 # The lifetime duration of the access token, in minutes
 REFRESH_TOKEN_LIFETIME=24 # The lifetime duration of the refresh token, in hours
 #
 # Auth Proxy Authentication
 #
 # Please read the documentation before enabling this feature:
 # https://wger.readthedocs.io/en/latest/administration/auth_proxy.html
 AUTH_PROXY_HEADER=''
 AUTH_PROXY_TRUSTED_IPS=''
 AUTH_PROXY_CREATE_UNKNOWN_USER=False
 AUTH_PROXY_USER_EMAIL_HEADER=''
 AUTH_PROXY_USER_NAME_HEADER=''
 #
 # Other possible settings
 # Recaptcha keys. You will need to create an account and register your domain
 # https://www.google.com/recaptcha/
 # RECAPTCHA_PUBLIC_KEY=abcde...
 # RECAPTCHA_PRIVATE_KEY=abcde...
 USE_RECAPTCHA=False
 # Clears the static files before copying the new ones (i.e. just calls collectstatic
 # with the appropriate flag: "manage.py collectstatic --no-input --clear"). Usually
 # This can be left like this but if you have problems and new static files are not
 # being copied correctly, clearing everything might help
 DJANGO_CLEAR_STATIC_FIRST=False
 #
 # Email
 # https://docs.djangoproject.com/en/4.1/topics/email/#smtp-backend
 # ENABLE_EMAIL=False
 # EMAIL_HOST=email.example.com
 # EMAIL_PORT=587
 # EMAIL_HOST_USER=username
 # EMAIL_HOST_PASSWORD=password
 # EMAIL_USE_TLS=True
 # EMAIL_USE_SSL=False
 FROM_EMAIL='wger Workout Manager <wger@example.com>'
 # Set your name and email to be notified if an internal server error occurs.
 # Needs a working email configuration
 # DJANGO_ADMINS=your name,email@example.com
 # Whether to compress css and js files into one (of each)
 # COMPRESS_ENABLED=True
 #
 # Django Rest Framework
 # The number of proxies in front of the application. In the default configuration
 # only nginx is. Change as approtriate if your setup differs. Also note that this
 # is only used when throttling API requests.
 NUMBER_OF_PROXIES=1
 #
 # Gunicorn
 #
 # Additional gunicorn options, change as needed.
 # For the number of workers to spawn, a usually recommended value is (2 x $num_cores) + 1
 # see:
 #   - https://docs.gunicorn.org/en/stable/settings.html
 #   - https://github.com/wger-project/wger/blob/master/extras/docker/production/entrypoint.sh#L95
 GUNICORN_CMD_ARGS="--workers 3 --threads 2 --worker-class gthread --proxy-protocol True --timeout 240"
--- a/ansible/roles/wger/vars/main.yml
+++ b/ansible/roles/wger/vars/main.yml
@@ -0,0 +1,16 @@
 DJANGO_SECRET: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  64326466343139613339363438386534363564626662366266353732383831613735613130666663
  6464623832646233653332313434303939666633613261640a393132616662326637356263373966
  30623465363333306430636462653738353737376635393366623162383437343430336163373832
  3931363133376466330a373565353636353932653436306165303664366539333263626566393436
  35386366633735373137616238303462616162636362306563343064383764383136
 JWT_SECRET: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  36306265373261313533313237653432663230666162373062373166323061373932366434616532
  6538393830396535633434373530626566316538313732620a636439363632666430613938326164
  36363432363361653665303965353566623861323331306630316265633430616266363462636362
  6132636138306335620a393662663431623566663165383362663138356237343063363239353063
  61336633373963356533396132316432356534373930613434326235346639326634
Author	SHA1	Message	Date
Mike Wilson	76029b6102	Fix deprecated config options in cross-seed	2025-09-22 14:26:49 -04:00
Mike Wilson	a9bf973dc5	Add IPTorrents and ignore uploads for cross-seed	2025-09-22 14:07:51 -04:00
Mike Wilson	d9b568058b	Prefer season packs over single episodes for anime	2025-09-17 10:06:17 -04:00
Mike Wilson	58e5dd177e	Enable vuetorrent and fix ULCX qbitmanage tag	2025-09-17 10:04:09 -04:00
Mike Wilson	9ef90db07b	Add tor and bitcoin-daemon steps	2025-09-05 17:03:39 -04:00
Mike Wilson	458506e798	Add step to enable ufw rules	2025-09-05 16:11:25 -04:00
Mike Wilson	874c759f85	Add UFW task	2025-09-05 15:54:07 -04:00